Fix remote SQL injection exploit.

"b2 0.6.2 and prior" allow sql injection in ./blog.header.php. $posts isn�t
convert to integer, so we can inject a sql in this variable. In MySQL 4.x
UNION and subselects can be used to obtain privileges.


git-svn-id: http://svn.automattic.com/wordpress/trunk@153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
mikelittle 2003-06-04 00:14:49 +00:00
parent 3b1ee8f5ab
commit 1aebecad96

View File

@ -32,13 +32,13 @@ $b2varstoreset = array('m','p','posts','w','c', 'cat','withcomments','s','search
/* Sending HTTP headers */
@header ("X-Pingback: $siteurl/xmlrpc.php");
// It is presumptious to think that WP is the only thing that might change on the page.
@header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
@header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified
@header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
@header("Cache-Control: post-check=0, pre-check=0", false);
@header("Pragma: no-cache"); // HTTP/1.0
@header ("X-Pingback: $siteurl/xmlrpc.php");
/* Getting settings from db */
$posts_per_page = get_settings('posts_per_page');
@ -58,9 +58,10 @@ $distinct = '';
if ($pagenow != 'b2edit.php') { timer_start(); }
if ($posts)
if ($posts) {
$posts = (int)$posts;
$posts_per_page=$posts;
}
// if a month is specified in the querystring, load that month
if ($m != '') {
$m = ''.intval($m);