[geeklog-cvs] geeklog: Fixed SQL injection exploit in usersettings.php
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Fri Apr 17 16:44:25 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/71e0b093375c
changeset: 6951:71e0b093375c
user: vinny
date: Fri Apr 17 14:42:28 2009 -0600
description:
Fixed SQL injection exploit in usersettings.php
See: http://www.milw0rm.com/exploits/8448
diffstat:
1 file changed, 16 insertions(+), 6 deletions(-)
public_html/usersettings.php | 22 ++++++++++++++++------
diffs (51 lines):
diff -r be9bbaaa4bf8 -r 71e0b093375c public_html/usersettings.php
--- a/public_html/usersettings.php Thu Apr 16 23:39:31 2009 -0600
+++ b/public_html/usersettings.php Fri Apr 17 14:42:28 2009 -0600
@@ -1372,23 +1372,33 @@
}
}
- $TIDS = @array_values($A[$_TABLES['topics']]);
- $AIDS = @array_values($A['selauthors']);
- $BOXES = @array_values($A["{$_TABLES['blocks']}"]);
- $ETIDS = @array_values($A['etids']);
+ $TIDS = @array_values($A[$_TABLES['topics']]); // array of strings
+ $AIDS = @array_values($A['selauthors']); // array of integers
+ $BOXES = @array_values($A["{$_TABLES['blocks']}"]); // array of integers
+ $ETIDS = @array_values($A['etids']); // array of strings
+ $AETIDS = USER_getAllowedTopics(); // array of strings (fetched, needed to "clean" $TIDS and $ETIDS)
$tids = '';
if (sizeof ($TIDS) > 0) {
- $tids = addslashes (implode (' ', $TIDS));
+ // the array_intersect mitigates the need to scrub the TIDS input
+ $tids = addslashes (implode (' ', array_intersect ($AETIDS, $TIDS));
}
$aids = '';
if (sizeof ($AIDS) > 0) {
+ // Scrub the AIDS array to prevent SQL injection and bad values
+ foreach ($AIDS as $key => $val) {
+ $AIDS[$key] = COM_applyFilter($val, true);
+ }
$aids = addslashes (implode (' ', $AIDS));
}
$selectedblocks = '';
if (count ($BOXES) > 0) {
+ // Scrub the BOXES array to prevent SQL injection and bad values
+ foreach ($BOXES as $key => $val) {
+ $BOXES[$key] = COM_applyFilter($val, true);
+ }
$boxes = addslashes (implode (',', $BOXES));
$blockresult = DB_query("SELECT bid,name FROM {$_TABLES['blocks']} WHERE bid NOT IN ($boxes)");
@@ -1406,7 +1416,7 @@
$etids = '';
if (sizeof ($ETIDS) > 0) {
- $AETIDS = USER_getAllowedTopics();
+ // the array_intersect mitigates the need to scrub the ETIDS input
$etids = addslashes (implode (' ', array_intersect ($AETIDS, $ETIDS)));
}
More information about the geeklog-cvs
mailing list