Closed kkatpcc closed 1 year ago
Ok, I see. The problem is the extra "FROM" in the search query. One of the hooks in Relevanssi Light works by replacing the "FROM" in the MySQL query with more MySQL. Since I was using str_replace()
, it replaced all occurrences of "FROM", even the extra ones from the query, which breaks the MySQL code.
It looks like the fix here is to replace str_replace()
with preg_replace()
, as that can be set to replace only the first occurrence.
Hopefully, this vulnerability is hard to use for anything malicious. It's probably hard to formulate an attack that doesn't make the MySQL query simply fail.
Versions
WP version: 6.0.3 & 6.1.1 (only ones tested) Relevanssi Light (this) plugin version: 1.2.1 (only one tested)
Description
The latest stable version of this plugin (1.2.1) seems to have as subtle sql injection vulnerability at https://github.com/msaari/relevanssi-light/blob/77fc47451f35a6af059d064637f74f9aa0f7bdaa/relevanssi-light.php#L257
None of the following errors occur with search when this plugin is disabled, i.e. no problems with stock WP search.
Proof of concept
raw query text:
before') AND FAIL=(SELECT FAIL FROM FAIL(FAIL)) AND ('after'='after
encoded as search:
/?s=before%27%29%20AND%20FAIL%3D%28SELECT%20FAIL%20FROM%20FAIL%28FAIL%29%29%20AND%20%28%27after%27%3D%27after
PHP error log result, indicating that some of the injected SQL made it through: