Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection
Use of db_query() instead of db_query_bound() allowed SQL injection
attacks due to unsanitized use of parameters within the query when using
the SOAP API mc_issue_attachment_get.

This issue was reported by e-mail by Andrea Barisani from oCERT, on
behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security
researcher at n.runs professionals GmbH, who discovered the issue
during an audit at a customer's site.

Fixes #16879

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Conflicts:
	api/soap/mc_file_api.php
  • Loading branch information
mantis authored and dregad committed Jan 24, 2014
1 parent b72fdae commit 00b4c17
Showing 1 changed file with 4 additions and 8 deletions.
12 changes: 4 additions & 8 deletions api/soap/mc_file_api.php
Expand Up @@ -154,25 +154,21 @@ function mci_file_get( $p_file_id, $p_type, $p_user_id ) {

# we handle the case where the file is attached to a bug
# or attached to a project as a project doc.
$query = '';
$t_query = '';
switch( $p_type ) {
case 'bug':
$t_bug_file_table = db_get_table( 'mantis_bug_file_table' );
$query = "SELECT *
FROM $t_bug_file_table
WHERE id='$p_file_id'";
$t_query = "SELECT * FROM $t_bug_file_table WHERE id=" . db_param();
break;
case 'doc':
$t_project_file_table = db_get_table( 'mantis_project_file_table' );
$query = "SELECT *
FROM $t_project_file_table
WHERE id='$p_file_id'";
$t_query = "SELECT * FROM $t_project_file_table WHERE id=" . db_param();
break;
default:
return SoapObjectsFactory::newSoapFault( 'Server', 'Invalid file type '.$p_type. ' .' );
}

$result = db_query( $query );
$result = db_query_bound( $t_query, array( $p_file_id ) );

if ( $result->EOF ) {
return SoapObjectsFactory::newSoapFault( 'Client', 'Unable to find an attachment with type ' . $p_type. ' and id ' . $p_file_id . ' .' );
Expand Down

0 comments on commit 00b4c17

Please sign in to comment.