Fixed issue: SQL injection vulnerability in administration - discover…

…ed by 0keeTeam / QIHU 360 company, China
LimeSurvey · Jun 18, 2015 · b09edc0 · b09edc0 · 0keeteam · Jun 18, 2015
1 parent 61a48c4
commit b09edc0
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 6 deletions.
diff --git a/application/controllers/admin/questiongroups.php b/application/controllers/admin/questiongroups.php
@@ -36,7 +36,7 @@ class questiongroups extends Survey_Common_Action
     function import()
     {
         $action = $_POST['action'];
-        $surveyid = $_POST['sid'];
+        $iSurveyID = (int)$_POST['sid'];
 
         if ($action == 'importgroup')
         {
@@ -66,11 +66,11 @@ function import()
 
             // IF WE GOT THIS FAR, THEN THE FILE HAS BEEN UPLOADED SUCCESFULLY
             if (strtolower($sExtension) == 'lsg')
-                $aImportResults = XMLImportGroup($sFullFilepath, $surveyid);
+                $aImportResults = XMLImportGroup($sFullFilepath, $iSurveyID);
             else
                 $this->getController()->error('Unknown file extension');
             LimeExpressionManager::SetDirtyFlag(); // so refreshes syntax highlighting
-            fixLanguageConsistency($surveyid);
+            fixLanguageConsistency($iSurveyID);
 
             if (isset($aImportResults['fatalerror']))
             {
@@ -81,7 +81,7 @@ function import()
             unlink($sFullFilepath);
 
             $aData['display'] = $importgroup;
-            $aData['surveyid'] = $surveyid;
+            $aData['surveyid'] = $iSurveyID;
             $aData['aImportResults'] = $aImportResults;
             $aData['sExtension'] = $sExtension;
             //$aData['display']['menu_bars']['surveysummary'] = 'importgroup';

diff --git a/application/helpers/admin/import_helper.php b/application/helpers/admin/import_helper.php
@@ -59,8 +59,7 @@ function XMLImportGroup($sFullFilePath, $iNewSID)
     // Import group table ===================================================================================
 
 
-    $query = "SELECT MAX(group_order) AS maxgo FROM {{groups}} WHERE sid=$iNewSID";
-    $iGroupOrder = Yii::app()->db->createCommand($query)->queryScalar();
+    $iGroupOrder = Yii::app()->db->createCommand()->select('MAX(group_order)')->from('{{groups}}')->where('sid=:sid',array(':sid'=>$iNewSID))->queryScalar();
     if ($iGroupOrder === false)
     {
         $iNewGroupOrder=0;