REQUEST COMPLIMENTARY SQLS*PLUS LICENCE
WordPress fixed bug with SQL injection urgent update
What is the cause of the vulnerability?
According to the WordPress command, the WordPress kernel is not in immediate danger, but the new version will add additional protection in case plugins or themes accidentally provoke this vulnerability.
This problem was reported by Anthony Ferrara on September 20 on HackerOne platform. The developers of WordPress have already tried to fix this bug in version 4.8.2, but the kernel security was not provided. The update has affected the functionality of many websites, potentially compromising over 1.2 million lines of code.
The day after the release Ferrara reported an error, but his request was ignored for several weeks. Only after Ferrara notified the WordPress team that he was going to publicly disclose the problem, and five weeks later, they were able to agree on a time for the public announcement.
WordPress, in cooperation with Ferrara, released a fix that made the problem easier. However, according to the same Ferrara, this is not enough to solve the problems caused by the previous patch.
A possible solution to the problem
Ferrara noted:
The current fix completely removes the prepare mechanism, which returns a string of SQL queries. Do what everyone else does: return an expression or query object, or execute the query directly. This way you will not be able to duplicate the string.
It should be noted that this solution will entail major changes for WP.
It is not necessary to change everything at once – you can develop an alternative solution in parallel with the existing API. This will be problematic, but necessary.
The existing API is not secure. This does not mean that it is constantly under attack, but that it needs to be reworked urgently.
“The danger is reduced,” added Ferrara. – At first, the prospect of cooperation was not encouraging, but it has improved over the years. If the last 6 weeks I was disappointed, now I hope for the best.
SQL Injection Hack Explained – Better WordPress Security | WP Learning Lab
Enteros
About Enteros
Enteros offers a patented database performance management SaaS platform. It proactively identifies root causes of complex business-impacting database scalability and performance issues across a growing number of RDBMS, NoSQL, and machine learning database platforms.
MORE NEWS
PreambleNoSql is not a replacement for SQL databases but is a valid alternative for many situations where standard SQL is not the best approach for...
PreambleMongoDB Conditional operators specify a condition to which the value of the document field shall correspond.Comparison Query Operators $eq...
5 Database management trends impacting database administrationIn the realm of database management systems, moreover half (52%) of your competitors feel...
The data type is defined as the type of data that any column or variable can store in MS SQL Server. What is the data type? When you create any table or...
PreambleMS SQL Server is a client-server architecture. MS SQL Server process starts with the client application sending a query.SQL Server accepts,...
First the basics: what is the master/slave?One database server (“master”) responds and can do anything. A lot of other database servers store copies of all...
PreambleAtom Hopper (based on Apache Abdera) for those who may not know is an open-source project sponsored by Rackspace. Today we will figure out how to...
PreambleMongoDB recently introduced its new aggregation structure. This structure provides a simpler solution for calculating aggregated values rather...
FlexibilityOne of the most advertised features of MongoDB is its flexibility. Flexibility, however, is a double-edged sword. More flexibility means more...
PreambleSQLShell is a cross-platform command-line tool for SQL, similar to psql for PostgreSQL or MySQL command-line tool for MySQL.Why use it?If you...
PreambleWriting an application on top of the framework on top of the driver on top of the database is a bit like a game on the phone: you say “insert...
PreambleOracle Coherence is a distributed cache that is functionally comparable with Memcached. In addition to the basic function of the API cache, it...
PreambleIBM pureXML, a proprietary XML database built on a relational mechanism (designed for puns) that offers both relational ( SQL / XML ) and...
What is PostgreSQL array? In PostgreSQL we can define a column as an array of valid data types. The data type can be built-in, custom or enumerated....
PreambleIf you are a Linux sysadmin or developer, there comes a time when you need to manage an Oracle database that can work in your environment.In this...
PreambleStarting with Microsoft SQL Server 2008, by default, the group of local administrators is no longer added to SQL Server administrators during the...