SQL injection vulnerability: search query not escaped (patch posted)

  • Resolved sbuntu

    (@sbuntu)


    7 years, 4 months ago

    With the 2.0.2 version of ACF Better Search I’m getting an SQL error returned on the search results page when I include an apostrophe in the search query.

    Seems like this could be exploited – please fix ASAP!

    WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘%’) AND (b.meta_id = a.meta_id + 1) AND (c.post_name = b.meta_value)) OR ((wp_po’ at line 1]
    SELECT DISTINCT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts LEFT JOIN wp_postmeta AS a ON (a.post_id = wp_posts.ID) LEFT JOIN wp_postmeta AS b ON (b.post_id = wp_posts.ID) LEFT JOIN wp_posts AS c ON ((c.post_type = ‘acf-field’) AND ((c.post_content LIKE ‘%:”text”%’) OR (c.post_content LIKE ‘%:”textarea”%’) OR (c.post_content LIKE ‘%:”number”%’) OR (c.post_content LIKE ‘%:”email”%’) OR (c.post_content LIKE ‘%:”url”%’) OR (c.post_content LIKE ‘%:”wysiwyg”%’) OR (c.post_content LIKE ‘%:”select”%’) OR (c.post_content LIKE ‘%:”checkbox”%’) OR (c.post_content LIKE ‘%:”radio”%’))) WHERE 1=1 AND (((a.meta_value LIKE ‘%test’%’) AND (b.meta_id = a.meta_id + 1) AND (c.post_name = b.meta_value)) OR ((wp_posts.post_title LIKE ‘%test’%’) OR (wp_posts.post_content LIKE ‘%test’%’) OR (wp_posts.post_excerpt LIKE ‘%test’%’))) AND wp_posts.post_type IN (‘post’, ‘page’, ‘attachment’, ‘listing’) AND (wp_posts.post_status = ‘publish’ OR wp_posts.post_status = ‘acf-disabled’ OR wp_posts.post_author = 1 AND wp_posts.post_status = ‘private’) ORDER BY wp_posts.post_title LIKE ‘%test%’ DESC, wp_posts.post_date DESC LIMIT 0, 999

    • This topic was modified 7 years, 4 months ago by sbuntu.
    • This topic was modified 7 years, 4 months ago by sbuntu.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter sbuntu

    (@sbuntu)

    the problem –– LIKE ‘%test’%’)

    the search term was test’ –?this is not being escaped prior to insertion to the SQL query?

    Thread Starter sbuntu

    (@sbuntu)

    Temporary patch: you can edit includes/search.php lines 60 – 61:

    $acfConditions       = $this->getACFConditions($query->query_vars['s']);
$wordpressConditions = $this->getDefaultWordPressConditions($query->query_vars['s']);

change to

$acfConditions = $this->getACFConditions( addslashes($query->query_vars['s']) );
$wordpressConditions = $this->getDefaultWordPressConditions( addslashes($query->query_vars['s']) );
    Plugin Author Mateusz Gbiorczyk

    (@mateuszgbiorczyk)

    Hi,

    Thank you for reporting. I made an update to correct the error.

    I changed the code differently than you suggested, but thank you for your commitment.

    If you can give this also a rating of my plugin. I will be grateful!

    Thread Starter sbuntu

    (@sbuntu)

    Thanks for addressing this issue quickly!

    Plugin Author Mateusz Gbiorczyk

    (@mateuszgbiorczyk)

    Thanks you ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘SQL injection vulnerability: search query not escaped (patch posted)’ is closed to new replies.