Fix remote SQL injection exploit.
"b2 0.6.2 and prior" allow sql injection in ./blog.header.php. $posts isn�t convert to integer, so we can inject a sql in this variable. In MySQL 4.x UNION and subselects can be used to obtain privileges. git-svn-id: http://svn.automattic.com/wordpress/trunk@153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
3b1ee8f5ab
commit
1aebecad96
|
@ -32,13 +32,13 @@ $b2varstoreset = array('m','p','posts','w','c', 'cat','withcomments','s','search
|
|||
|
||||
|
||||
/* Sending HTTP headers */
|
||||
@header ("X-Pingback: $siteurl/xmlrpc.php");
|
||||
// It is presumptious to think that WP is the only thing that might change on the page.
|
||||
@header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
|
||||
@header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified
|
||||
@header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
|
||||
@header("Cache-Control: post-check=0, pre-check=0", false);
|
||||
@header("Pragma: no-cache"); // HTTP/1.0
|
||||
@header ("X-Pingback: $siteurl/xmlrpc.php");
|
||||
|
||||
/* Getting settings from db */
|
||||
$posts_per_page = get_settings('posts_per_page');
|
||||
|
@ -58,9 +58,10 @@ $distinct = '';
|
|||
|
||||
if ($pagenow != 'b2edit.php') { timer_start(); }
|
||||
|
||||
if ($posts)
|
||||
if ($posts) {
|
||||
$posts = (int)$posts;
|
||||
$posts_per_page=$posts;
|
||||
|
||||
}
|
||||
// if a month is specified in the querystring, load that month
|
||||
if ($m != '') {
|
||||
$m = ''.intval($m);
|
||||
|
|
Loading…
Reference in New Issue