Piwigo Bugtracker

Piwigo bug tracker has moved to Github

This bugtracker is kept to provide history on old issues.


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002281Advanced Menu Managerbugpublic2011.04.26 13:312011.05.26 23:43
Reporterstim 
Assigned Togrum 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version3.1.3 
Summary0002281: Custom language value is use in queries unescaped.
DescriptionBy manipulation of the profile page, it is possible to insert bogus values in the language field.
These values are used in queries of the AMM without escaping.
This results in sql-errors being reported (being a severe security hazard).
Steps To ReproduceFill the database with bogus language information (see my other report).
Any page triggering AMM (e.g. front page) will show sql errors.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0005053)
stim (reporter)
2011.04.26 13:34
edited on: 2011.04.26 13:34

See 0002280 for reproducing this bug.

On a side note: sql-errors should probably be handled more elegantly.

(0005060)
plg (manager)
2011.04.27 15:30

Hi stim,

Are you sure it is related to AMM?
(0005061)
stim (reporter)
2011.04.27 15:40

The side note is piwigo-wide, but the reported bug (AMM is using a field from the database without escaping it) is AMM related.
See amm_root.class.inc.php line 360-374.

The $lang = $user['language']; contains a value from the database (that has become unescaped). It is used in the query without escaping, allowing indirect inj. of the sql. This should be fixed in the AMM plugin IMHO.
[Not sure if this is the only occurrence btw]
(0005133)
grum (administrator)
2011.05.24 23:36

Using mysql_real_escape_string($lang) in SQL request is enough to fix the problem ?
Or something more strong have to be used ?
(0005136)
stim (reporter)
2011.05.25 10:01

Yeah, I guess pwg_db_real_escape_string would be appropriate, but either would fix it indeed.
(0005150)
svn (reporter)
2011.05.26 23:36

[Subversion] r11071 by grum on extension AMenuManager

-----[Subversion commit log]----------------------------------------------------
fix bug:2281

- Issue History
Date Modified Username Field Change
2011.04.26 13:31 stim New Issue
2011.04.26 13:34 stim Note Added: 0005053
2011.04.26 13:34 stim Note Edited: 0005053
2011.04.27 15:30 plg Note Added: 0005060
2011.04.27 15:40 stim Note Added: 0005061
2011.05.24 23:23 grum Status new => assigned
2011.05.24 23:23 grum Assigned To => grum
2011.05.24 23:36 grum Note Added: 0005133
2011.05.25 10:01 stim Note Added: 0005136
2011.05.26 23:36 svn Checkin
2011.05.26 23:36 svn Note Added: 0005150
2011.05.26 23:43 grum Status assigned => resolved
2011.05.26 23:43 grum Fixed in Version => 3.1.3
2011.05.26 23:43 grum Resolution open => fixed


Copyright © 2000 - 2018 MantisBT Team
Contact
Powered by Mantis Bugtracker