Paths of an uncon(s)cious mind: "# note: magic

Sunday, September 11, 2011

"# note: magic_quotes has to be turned off"

Bad security practice or just act out of irritation due to unwanted forced backslashing inside request parameter values, lots of WordPress admins turn off magic quotes feature inside their installations (opening itself to the potential string based SQL injections). Best reference to this claim(s) is the number of returned results by Google if you search for: "turn off magic quotes wordpress"

Now, if you are willing to test WordPress SQL injection vulnerabilities presented on this site which have a note "magic quotes has to be turned off" (acting careless WordPress administrator), you'll have to do two things:

1) inside /var/www/wordpress/wp-settings.php search for set_magic_quotes_runtime and make sure that it's called like this:

set_magic_quotes_runtime( 0 );

2) inside the same file, search and comment out this line:

// Add magic quotes and set up $_REQUEST ( $_GET + $_POST )
// wp_magic_quotes(); //<-- this has to be commented

3) disable the PHP's magic_quotes_gpc like described here

p.s. don't do these changes on production WordPress site(s) as it will just open up the door(s) for the new potential attacks
p.p.s. why disclosing vulnerabilities which have a note "magic quotes has to be turned off" is as important as others? Along with the fact that lots of web admins willingly decide to turn it off, magic_quotes mechanism is considered as deprecated from PHP 5.3.0.. That means that solely relying on that automatic security mechanism (especially inside WordPress) from preventing SQL injection vulnerabilities (especially in future) should be considered as a big no no.

7 comments:

Anonymous said...: I don't even know how I ended up here, but I thought this post was good. I don't know who you
are but certainly you're going to a famous blogger if you aren't already ;) Cheers!

my blog; www.addwebsiteurl.info; February 28, 2013 at 8:55 AM
Anonymous said...: I'm curious to find out what blog system you have been utilizing? I'm experiencing some minor security problems with my latest website and I would like to find
something more risk-free. Do you have any recommendations?

Review my page :: naturalanxietyremediestips.com; March 2, 2013 at 4:17 PM
Anonymous said...: I got this web page from my pal who shared with me about this
web page and at the moment this time I am browsing this web site and reading very informative articles or reviews here.

My site ... Eleven2 Testimonies; March 3, 2013 at 4:48 AM
Anonymous said...: Just desire to say your article is as surprising. The clarity for your put
up is just great and i can think you are an expert in this subject.
Well along with your permission let me to clutch your RSS feed to stay up to date
with coming near near post. Thanks 1,000,000 and please carry on the gratifying work.

Here is my website :: vexxhost evaluates; March 8, 2013 at 7:10 PM
Anonymous said...: Hmm it looks like your blog ate my first comment
(it was super long) so I guess I'll just sum it up what I wrote and say, I'm thoroughly enjoying your blog.
I as well am an aspiring blog blogger but I'm still new to everything. Do you have any suggestions for novice blog writers? I'd genuinely appreciate it.

my blog post - vexxhost testimonies
my web site - vexxhost ratings; March 8, 2013 at 7:28 PM
Anonymous said...: I pay a quick visit each day a few blogs and websites to read articles or reviews, except this web
site offers feature based content.

my web page ... hostgator Ratings; March 16, 2013 at 1:28 PM
Anonymous said...: Hello! This is kind of off topic but I need some help from an established blog.

Is it hard to set up your own blog? I'm not very techincal but I can figure things out pretty quick. I'm thinking
about setting up my own but I'm not sure where to begin. Do you have any tips or suggestions? Many thanks

My website ... cloud servers Vs dedicated servers; March 20, 2013 at 9:07 AM