Fix remote SQL injection exploit.

"b2 0.6.2 and prior" allow sql injection in ./blog.header.php. $posts isn�t convert to integer, so we can inject a sql in this variable. In MySQL 4.x UNION and subselects can be used to obtain privileges. git-svn-id: http://svn.automattic.com/wordpress/trunk@153 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-24 13:54:59 +02:00 · 2003-06-04 00:14:49 +00:00 · 2003-06-04 00:14:49 +00:00 · 1aebecad96
commit 1aebecad96
parent 3b1ee8f5ab
1 changed files with 4 additions and 3 deletions
--- a/blog.header.php
+++ b/blog.header.php
@ -32,13 +32,13 @@ $b2varstoreset = array('m','p','posts','w','c', 'cat','withcomments','s','search


 /* Sending HTTP headers */
-@header ("X-Pingback: $siteurl/xmlrpc.php");
 // It is presumptious to think that WP is the only thing that might change on the page.
@header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); 				// Date in the past 
@header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified 
@header("Cache-Control: no-store, no-cache, must-revalidate"); 	// HTTP/1.1 
@header("Cache-Control: post-check=0, pre-check=0", false); 
@header("Pragma: no-cache"); 									// HTTP/1.0 
+@header ("X-Pingback: $siteurl/xmlrpc.php");

 /* Getting settings from db */
 $posts_per_page = get_settings('posts_per_page');
@ -58,9 +58,10 @@ $distinct = '';

 if ($pagenow != 'b2edit.php') { timer_start(); }

-if ($posts)
+if ($posts) {
+    $posts = (int)$posts;
 	$posts_per_page=$posts;
-
+}
 // if a month is specified in the querystring, load that month
 if ($m != '') {
 	$m = ''.intval($m);