Encoding Issue causing PHP Error and SQL Injection

Resolved

(@gnowland)

Certain search strings are not being encoded/decoded by the plugin correctly and are thus:

1. Causing the WP_Query SQL string to break, resulting in a WordPress Database error, and
2. Exposing a SQL injection vulnerability. It is currently possible to use certain character combinations to inject a single apostrophe (see below). Ack!

An example search parameter that causes this is:
/?s=A+%5C%27

Resulting in error:

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%')) OR (((m.meta_value LIKE '%A%') AND (m.meta_value LIKE '%%')) OR (m.meta_va' at line 1]
SELECT DISTINCT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts LEFT JOIN wp_term_relationships AS trel ON (wp_posts.ID = trel.object_id) LEFT JOIN wp_term_taxonomy AS ttax ON ( ( ttax.taxonomy = 'category' OR ttax.taxonomy = 'post_format' OR ttax.taxonomy = 'action-group' OR ttax.taxonomy = 'product_type' OR ttax.taxonomy = 'product_cat' OR ttax.taxonomy = 'product_tag' OR ttax.taxonomy = 'product_shipping_class' OR ttax.taxonomy = 'tribe_events_cat' OR ttax.taxonomy = 'issue_date' OR ttax.taxonomy = 'project_type' OR ttax.taxonomy = 'project_site' ) AND trel.term_taxonomy_id = ttax.term_taxonomy_id) LEFT JOIN wp_terms AS tter ON (ttax.term_id = tter.term_id) LEFT JOIN wp_postmeta AS m ON (wp_posts.ID = m.post_id) LEFT JOIN wp_users AS u ON (wp_posts.post_author = u.ID) WHERE 1=1 AND ( ( (((((wp_posts.post_title LIKE '%A%') OR (wp_posts.post_content LIKE '%A%')) AND ((wp_posts.post_title LIKE '%%') OR (wp_posts.post_content LIKE '%%'))) OR (((tter.slug LIKE '%a%') AND (tter.slug LIKE '%%')) OR (tter.slug LIKE '%a%')) OR (((ttax.description LIKE '%A%') AND (ttax.description LIKE '%%')) OR (ttax.description LIKE '%A \\'%')) OR (((m.meta_value LIKE '%A%') AND (m.meta_value LIKE '%%')) OR (m.meta_value LIKE '%A \\'%')) OR (((wp_posts.post_excerpt LIKE '%A%') AND (wp_posts.post_excerpt LIKE '%%')) OR (wp_posts.post_excerpt LIKE '%A \\'%')) OR ((u.display_name LIKE '%A%') OR (u.display_name LIKE '%%') OR (u.display_name LIKE '%A \\'%')) )) AND wp_posts.post_type IN ('post', 'page', 'attachment', 'nf_sub', 'product', 'wbeexportfile', 'tribe_events', 'tribe_venue', 'programs', 'resources', 'preservationinprint', 'projects') AND (wp_posts.post_status = 'publish' OR wp_posts.post_status = 'acf-disabled' OR wp_posts.post_author = 1 AND wp_posts.post_status = 'private')) AND post_type != 'revision') AND post_status != 'future' ORDER BY (CASE WHEN wp_posts.post_title LIKE '%A \\\\\'%' THEN 1 WHEN wp_posts.post_title LIKE '%\\\\%' THEN 2 WHEN wp_posts.post_excerpt LIKE '%A \\\\\'%' THEN 4 WHEN wp_posts.post_content LIKE '%A \\\\\'%' THEN 5 ELSE 6 END), wp_posts.post_date DESC LIMIT 0, 12

I have to disable the plugin and urge everyone else to disable this plugin until the vulnerability has been fixed. Please contact me when this has been patched.

Thank you!

https://wordpress.org/plugins/search-everything/

Viewing 2 replies - 1 through 2 (of 2 total)

Thread Starter gnowland
(@gnowland)

9 years, 9 months ago

This has been fixed by the v.8.1.6 update. Thanks Tyrel!

Blobfolio
(@blobfolio)

9 years, 3 months ago

Unfortunately this is still an active issue in 8.1.6. Incorrect escape functions are used throughout the plugin and so fail to properly sanitize data across different server configurations, charsets, etc.

addslashes() and equivalent functions are not appropriate for MySQL string data. See e.g. http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

WordPress provides esc_sql() and $wpdb->esc_like() functions for this purpose; these must be used instead. Additionally, these filters should not be run again and again as they are currently or else values will end up looking like \\\\\\\’s.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Encoding Issue causing PHP Error and SQL Injection’ is closed to new replies.

Tags