11/26/2005 —
D.J. (阅读: 5306)
今天在SECUNIA的邮件列表里看到了这个邮件 “phpWordPress SQL Injection Vulnerabilities”,事关自己使用和支持的wordpress,顿时心惊肉跳 (secunia的邮件隔几天就让我肉跳一次!)
打开看来
r0t has reported some vulnerabilities in phpWordPress, which can be
exploited by malicious people to conduct SQL injection attacks.
Input passed to the “poll”, “category”, and “ctg” parameters in
“index.php” isn’t properly sanitised before being used in a SQL
query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
好生奇怪,wordpress哪里来的”poll”, “ctg”这类参数?
再往下看
The vulnerability has been reported in version 3.0 and prior. Other
versions may also be affected.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
好家伙,几天没看,都3.0了!
赶紧核实,原来是 “phpWordPress“不是”php WordPress“
经过千辛万苦,找到phpWordPress主页,原来是商业化的Blog
在页脚厚道的声明
This site is not affiliated with the open-source program WordPress in any way.
If you are looking for WordPress, please go to WordPress.org
所以,兄弟,要想增加网站知名度,不时地搞个Injection之类的安全漏洞,同时取个根名流相近的名字,看来是可行的主意阿
