Comments on: WP TextLinkAds Plugin SQL Injection Vulnerability http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability Always something worth reading... Fri, 12 Mar 2010 11:09:45 +0000 http://wordpress.org/?v= hourly 1 By: Brian http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-8581 Brian Wed, 26 Mar 2008 08:02:01 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-8581 Does anyone know if this has been fixed yet, or a good version to use? Does anyone know if this has been fixed yet, or a good version to use?

]]> By: Nick http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-6797 Nick Sun, 03 Feb 2008 12:15:03 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-6797 I've just downloaded a new plugin version (<i>after being sent an e-mail from TLA</i>) and the problem still exists.... code from version 1.2.0... <code> function tla_send_new_post_alert($postId) { global $text_link_ads_object; $text_link_ads_object->postLevelPing($text_link_ads_object->tlaPingUrl.'?action=add&inventory_key='.$text_link_ads_object->websiteKey.'&post_id='.$postId); } </code> I’ve just downloaded a new plugin version (after being sent an e-mail from TLA) and the problem still exists…. code from version 1.2.0…

function tla_send_new_post_alert($postId)
{
global $text_link_ads_object;

$text_link_ads_object->postLevelPing($text_link_ads_object->tlaPingUrl.'?action=add&inventory_key='.$text_link_ads_object->websiteKey.'&post_id='.$postId);
}

]]> By: djbaxter http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-6502 djbaxter Fri, 18 Jan 2008 16:16:15 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-6502 I couldn't find the line "$postId = $postId;" at 512 or anywhere else in my TLA plugin. I went to the TLA site and downloaded a brand new plug-in to see if it had changed and it's nowhere to be found in that file either. I couldn’t find the line “$postId = $postId;” at 512 or anywhere else in my TLA plugin. I went to the TLA site and downloaded a brand new plug-in to see if it had changed and it’s nowhere to be found in that file either.

]]> By: SarahG http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-6499 SarahG Fri, 18 Jan 2008 14:57:02 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-6499 Ah re-reading your comment and the post an additional S has crept into the link, a simple typing error at a guess. I doubt that was intentional. My apologies, I was checking on www.textlinkads.com, no S after link and the whois gives TLA as owners. With DK being in Europe (UK judging by his about content) and this domain owner being in the US, I doubt he'd be feeding referrals to someone else on purpose (although he'd have to confirm). Ah re-reading your comment and the post an additional S has crept into the link, a simple typing error at a guess. I doubt that was intentional. My apologies, I was checking on http://www.textlinkads.com, no S after link and the whois gives TLA as owners.

With DK being in Europe (UK judging by his about content) and this domain owner being in the US, I doubt he’d be feeding referrals to someone else on purpose (although he’d have to confirm).

]]> By: Jonathan http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-6496 Jonathan Fri, 18 Jan 2008 14:28:13 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-6496 SarahG, Administrative Contact: Wong, Michael Art Dacor USA LLC 3727 West Magnolia Blvd #489 Burbank, California 91505 United States 8186883292 Sure doesn't look like TextLinkAds.com's whois. TLA does not own that domain. I personally don't care, but a little disclosure would be nice. SarahG,

Administrative Contact:
Wong, Michael
Art Dacor USA LLC
3727 West Magnolia Blvd
#489
Burbank, California 91505
United States
8186883292

Sure doesn’t look like TextLinkAds.com’s whois.

TLA does not own that domain.

I personally don’t care, but a little disclosure would be nice.

]]> By: BlogSecurity » Blog Archive » WP TextLinkAds Plugin SQL Injection Vulnerability follow up http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-6492 BlogSecurity » Blog Archive » WP TextLinkAds Plugin SQL Injection Vulnerability follow up Fri, 18 Jan 2008 10:28:14 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-6492 [...] advisory has been updated accordingly.     Enjoy the article? Please take a second to: [...] [...] advisory has been updated accordingly.     Enjoy the article? Please take a second to: [...]

]]> By: DK http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-6491 DK Fri, 18 Jan 2008 10:23:43 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-6491 Please note, SarahG kindly sent me this plugin (v3.0.8). There is some wierd stuff going on with the version but v3.0.8 is affected in the same way. I will the advisory accordingly. Please note, SarahG kindly sent me this plugin (v3.0.8). There is some wierd stuff going on with the version but v3.0.8 is affected in the same way. I will the advisory accordingly.

]]> By: SarahG http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-6490 SarahG Fri, 18 Jan 2008 09:39:03 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-6490 Johnathan, like all good businesses, TLA own both the hypenated and unhyphenated versions. There's no referral link in DK's post. Try a whois on the domain to be sure. Johnathan, like all good businesses, TLA own both the hypenated and unhyphenated versions. There’s no referral link in DK’s post. Try a whois on the domain to be sure.

]]> By: BloggingTom http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-6486 BloggingTom Fri, 18 Jan 2008 06:42:57 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-6486 Well, i just checked it too with the same options SarahG has choosed. Now it is version 3.0.9. I'll send you an email with the plugin... And about Jonathan: He's just complaining about the link in the text above which links to textlinksads.com instead of text-link-ads.com... Well, i just checked it too with the same options SarahG has choosed. Now it is version 3.0.9. I’ll send you an email with the plugin…

And about Jonathan: He’s just complaining about the link in the text above which links to textlinksads.com instead of text-link-ads.com…

]]> By: Jonathan http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/comment-page-1#comment-6482 Jonathan Thu, 17 Jan 2008 22:16:15 +0000 http://blogsecurity.net/wordpress/wp-textlinkads-plugin-sql-injection-vulnerability/#comment-6482 DK, I'm just wondering, what is textlinkSads.com? isn't the domain text-link-ads.com? DK,

I’m just wondering, what is textlinkSads.com? isn’t the domain text-link-ads.com?

]]>