This topic contains 6 replies, has 2 voices, and was last updated by 
- Posts
Search terms/characters seem to be escaped multiple times resulting in mysql query errors, for example:
WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘hello\\\\’);</script>’)\r\n then 3 else 0 end) + (case when\r\n ‘ at line 10 for query \r\n \t\tSELECT \r\n wp_terms.name as title,\r\n wp_terms.term_id as id,\r\n ” as content,\r\n ” as date,\r\n ” as author,\r\n wp_term_taxonomy.taxonomy as taxonomy,\r\n ‘term’ as content_type,\r\n ((case when\r\n (lower(wp_terms.name) REGEXP ‘<script>alert(\\\\’hello\\\\’);</script>’)\r\n then 3 else 0 end) + (case when\r\n (lower(wp_terms.name) REGEXP ‘<script>alert(\\\\’hello\\\\’);</script>’)\r\n then 10 else 0 end) + (case when\r\n (lower(wp_terms.name) REGEXP ‘<script>alert(\\\\’hello\\\\’);</script>’)\r\n then 10 else 0 end)) as relevance\r\n \t\tFROM wp_terms\r\n LEFT JOIN wp_term_taxonomy ON wp_terms.term_id = wp_term_taxonomy.term_id\r\n \tWHERE\r\n \t (wp_term_taxonomy.taxonomy REGEXP ‘[[:<:]]category[[:>:]]’)\r\n AND (( wp_terms.name LIKE ‘%<script>alert(\\\\’hello\\\\’);</script>%’ ))\r\n AND (wp_terms.term_id NOT IN (-55))\r\n GROUP BY\r\n wp_terms.term_id\r\n ORDER BY relevance DESC, wp_terms.name ASC\r\n LIMIT 10 made by require(‘wp-blog-header.php’), wp, WP->main, WP->query_posts, WP_Query->query, WP_Query->get_posts, apply_filters_ref_array, call_user_func_array, asp_search_filter_posts, ajaxsearchpro_search, wpdreams_search->search, wpdreams_searchTerms->do_search, referer:
The original search term being <script>alert(‘hello’);</script>
Obviously this isn’t a standard search but all cases need to be considered.This also results in HTML errors within the search form as seen below (see attached screenshots)
We believe this could also be a security issue for other users, can you please advise / and or patch this issue.
Thank you
Hi!
May I ask which wordpress version are you using? I’ve been testing the search for hundreds of cases of injection and XSS codes, but I wasn’t able to get anything.
I’ve tried the phrase you said, but it doesn’t do the same for me. All terms are filtered with the $wpdb->esc_like() call, so the query is passed on to the wordpress database layer for further checks.
Some previous (4.0) versions of wordpress had some troubles escaping these kind of statements, but as far as I know, there is no known security flaw in the current wp version.
All you did was entered was that snippet and the code just broke? Or did you enter this via the web inspector? Single or double quotes?
If you want I can check this on your server, maybe there is something different than on my test environment and demo servers. It looks like a front end issue due to the invalid input, which messes up the DOM tree. I couldn’t achieve it on chrome, maybe another browser. If you refresh the page then it’s gone, is it?
The database error is a good sign, it means that it’s not executed, thus the escaping was successful. It would be a bigger problem if this reached the statistics database un-escaped.
Let me know if I can check this on your server or the exact steps (including wp version, operating system, browser type and version) on how should I re-create the problem. I does not look like a security flaw, as the query is not executed, but it’s definitely worth investigating further.
Thank you for the notice!
-
This reply was modified 8 years, 10 months ago by
Ernest Marcinko.
-
This reply was modified 8 years, 10 months ago by
Ernest Marcinko
If you like my products, don't forget to rate them on codecanyon :)
Thanks for the speedy response.
We are using WordPress version 4.2.2. Yes, just entered <script>alert(‘hello’);</script> with single quotes surrounding the ‘hello’, via the normal form, not via web inspector. Using Chrome browser Version 43.0.2357.65 (64-bit).
Are there any search settings you would like to know to ensure the tests are the same?
After refreshing the page, due to the ’s’ query parameter in the url containing the search <script>alert(%27hello%27);</script>, the DOM tree errors remain. We also get the same results in Safari.
The server wp is running on is an amazon EC2 instance with Ubuntu 14.04.2 and mysql version 5.6.19-0ubuntu0.14.04.1.
Thanks Will
Hi!
That’s what I needed to know. This is happening when the search parameter is parsed back to the input field if the “s” get variable is set.
Let me do some tests on how this is passed towards the database in this case. I’ll also suggest a temporary fix when I’m done.
Best,
Ernest Marcinko
If you like my products, don't forget to rate them on codecanyon :)
Ok, we will disable the s parameter for now and await your reply, thanks for looking into it.
Hi!
I’ve done a good amount of security tests, so far no problems. The query fails every time due to the multiple escape calls.
The problem occures because the plain $_GET[s] value is echoed into the search text field before escaping. I’ve found a quick and effective fix using one internal wordpress call.
If you open up the plugins/ajax-search-pro/includes/views/asp.shortcode.probox.php file and go to line 44, you should see the input field output, and at the end of the line there is something like:
... value='<?php echo isset($_GET['s'])?$_GET['s']:''; ?>' autocomplete="off">change it to:
... value='<?php echo get_search_query(); ?>' autocomplete="off">The problem will disappear right away. I’m including this fix in the upcoming version of course.
Best,
Ernest Marcinko
If you like my products, don't forget to rate them on codecanyon :)
Hi Ernest,
Sorry for some reason I can’t add a new post to the forum so have had to add a comment in here.
We’re having a couple of issues at the moment. The first is when overriding the wordpress search page, and displaying the ajax search results there instead, only a maximum of 6 are shown. We’re using a ‘Blog 1 Column’ to display the results, with -1 for the items per page, and ‘No’ for pagination (same issue when the default search page ‘Blog 2 Column’ is used). I know there should be more results as they appear in the ajax search dropdown and the Max results is set to 25. Any ideas?
The second is our apache error log is filled with these warnings
PHP Warning: Illegal string offset ‘images’ in /var/www/html/wp-content/plugins/ajax-search-pro/backend/settings/class/imageradio.class.php on line 35, referer: /wp-admin/admin.php?page=ajax-search-pro%2Fbackend%2Fsettings.php&asp_sid=2
PHP Warning: Illegal string offset ‘value’ in /var/www/html/wp-content/plugins/ajax-search-pro/backend/settings/class/imageradio.class.php on line 36, referer: /wp-admin/admin.php?page=ajax-search-pro%2Fbackend%2Fsettings.php&asp_sid=2
PHP Warning: Invalid argument supplied for foreach() in /var/www/html/wp-content/plugins/ajax-search-pro/backend/settings/class/imageradio.class.php on line 20, referer: /wp-admin/admin.php?page=ajax-search-pro%2Fbackend%2Fsettings.php&asp_sid=2Can we stop them, or suppress them?
Thanks
-
This reply was modified 8 years, 10 months ago by
You must be logged in to reply to this topic.