Title: Sql injection
Last modified: August 21, 2016

---

# Sql injection

 *  Resolved [equynox](https://wordpress.org/support/users/equynox/)
 * (@equynox)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-4/)
 * Hi, i recently conducted a security Audit on my webserver and the software rechead
   to this conlusions.
 * We discovered vulnerabilities in the scripts listed below. Next to each script,
   there is a description of the type of attack that is possible, and the way to
   recreate the attack. If the attack is a simple HTTP GET request, you can usually
   paste it into your browser to see how it works. If it’s a POST attack, the parameters
   for the POST request will be listed in square parenthesis.
 * Blind SQL Injection
    URL: [http://mysite.com/mica-publicitate/afiseaza-anunt/?id=1/](http://mysite.com/mica-publicitate/afiseaza-anunt/?id=1/)
   Affected Parameter: id Vector Used: VALUE AND SLEEP(24)=0 Pattern found: Timing
   test Complete Attack: [http://mysite.com/mica-publicitate/afiseaza-anunt?id=1/](http://mysite.com/mica-publicitate/afiseaza-anunt?id=1/)
   AND SLEEP(24)=0 Show Test Sample URL: [http://mysite.com/mica-publicitate/afiseaza-anunt](http://mysite.com/mica-publicitate/afiseaza-anunt)
   Parameter name: id
 * We discovered vulnerabilities in the scripts listed below. Next to each script,
   there is a description of the type of attack that is possible, and the way to
   recreate the attack. If the attack is a simple HTTP GET request, you can usually
   paste it into your browser to see how it works. If it’s a POST attack, the parameters
   for the POST request will be listed in square parenthesis.
 * Cross Site Scripting
    URL: [http://mysite.com/mica-publicitate/afiseaza-anunt/?id=1/](http://mysite.com/mica-publicitate/afiseaza-anunt/?id=1/)
   Affected Parameter: id Vector Used: “><script>alert(document.cookie)</script>
   Pattern found: <script>alert(document.cookie)</script> Complete Attack: [http://mysite.com/mica-publicitate/afiseaza-anunt?id=](http://mysite.com/mica-publicitate/afiseaza-anunt?id=)\”
   ><script>alert(document.cookie)</script> Show Test Sample URL: [http://mysite.com/mica-publicitate/afiseaza-anunt](http://mysite.com/mica-publicitate/afiseaza-anunt)
   Parameter name: id
 * Parameter name: gt;
 * Parameter name: lt;script
 * Parameter name: gt;alert(document.cookie)
 * Parameter name: lt;/script
 * Parameter name: gt;
 * Any advice on how i should solve this issue?
 * [http://wordpress.org/extend/plugins/another-wordpress-classifieds-plugin/](http://wordpress.org/extend/plugins/another-wordpress-classifieds-plugin/)

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Plugin Author [AWP Classifieds Team](https://wordpress.org/support/users/awpcp/)
 * (@awpcp)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-4/#post-3685829)
 * I will have my developer evaluate your findings here and see if we can reproduce
   them.
 * It would help to know what the URLs translate to in English, since I don’t recognize
   them off hand. We will need to know that in order to test the issue.
 *  Thread Starter [equynox](https://wordpress.org/support/users/equynox/)
 * (@equynox)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-4/#post-3685871)
 * Ok, looking forward for an answer on how you solved this problem.
 *  Plugin Author [AWP Classifieds Team](https://wordpress.org/support/users/awpcp/)
 * (@awpcp)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-4/#post-3685967)
 * Hi equynox,
 * My developer is looking into this and has some questions:
    – What version of 
   AWPCP did you test against? – Are you using any of our premium modules? – Is 
   it possible to know which tool was used to perform the security audit? I would
   like to try it myself and see what I get. Links would be appreciated.
 * We are unable to reproduce these issues on our current version, which is why 
   I’m asking.
 *  Thread Starter [equynox](https://wordpress.org/support/users/equynox/)
 * (@equynox)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-4/#post-3685968)
 * Hello,
 * My version for AWPCP is 2.2.1
    No, im not using any of your premium module, but
   im considering buying. The Audit security software i used is scanmyserver.com
 * You can run a test on a wordpress site with AWPCP and see what you get. Also 
   i dont have activated the plugin option for SEO URL s.
 * Looking forward for your assesment regarding this issue.
 *  [Business Directory Plugin](https://wordpress.org/support/users/businessdirectoryplugin/)
 * (@businessdirectoryplugin)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-4/#post-3685980)
 * These issues will be resolved in 3.0 (final) version.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Sql injection’ is closed to new replies.

 * ![](https://ps.w.org/another-wordpress-classifieds-plugin/assets/icon-256x256.
   png?rev=2944356)
 * [AWP Classifieds](https://wordpress.org/plugins/another-wordpress-classifieds-plugin/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/another-wordpress-classifieds-plugin/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/another-wordpress-classifieds-plugin/)
 * [Active Topics](https://wordpress.org/support/plugin/another-wordpress-classifieds-plugin/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/another-wordpress-classifieds-plugin/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/another-wordpress-classifieds-plugin/reviews/)

## Tags

 * [Cross-site scripting](https://wordpress.org/support/topic-tag/cross-site-scripting/)

 * 5 replies
 * 3 participants
 * Last reply from: [Business Directory Plugin](https://wordpress.org/support/users/businessdirectoryplugin/)
 * Last activity: [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-4/#post-3685980)
 * Status: resolved