Skip to content

Commit

Permalink
Fix SQL injection in manage_user_page.php
Browse files Browse the repository at this point in the history 
This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue #17937
(advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes #17940
  • Loading branch information
@dregad
dregad committed Jan 9, 2015
1 parent 75c87e6 commit 7cc4539
Showing 1 changed file with 34 additions and 31 deletions.
65 changes: 34 additions & 31 deletions manage_user_page.php
View file
Expand Up @@ -57,17 +57,44 @@

access_ensure_global_level( config_get( 'manage_user_threshold' ) );

$f_sort = gpc_get_string( 'sort', 'username' );
$f_dir = gpc_get_string( 'dir', 'ASC' );
$f_hide_inactive = gpc_get_bool( 'hideinactive' );
$f_show_disabled = gpc_get_bool( 'showdisabled' );
$t_cookie_name = config_get( 'manage_users_cookie' );
$t_lock_image = '<img src="' . config_get( 'icon_path' ) . 'protected.gif" width="8" height="15" border="0" alt="' . lang_get( 'protected' ) . '" />';
$c_filter = '';

$f_save = gpc_get_bool( 'save' );
$f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) );
$f_page_number = gpc_get_int( 'page_number', 1 );

$t_cookie_name = config_get( 'manage_users_cookie' );
$t_lock_image = '<img src="' . config_get( 'icon_path' ) . 'protected.gif" width="8" height="15" alt="' . lang_get( 'protected' ) . '" />';
$c_filter = '';
if( !$f_save && !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) {
$t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) );

# Hide Inactive
$f_hide_inactive = (bool)$t_manage_arr[0];

# Sort field
if ( isset( $t_manage_arr[1] ) ) {
$f_sort = $t_manage_arr[1];
} else {
$f_sort = 'username';
}

# Sort order
if ( isset( $t_manage_arr[2] ) ) {
$f_dir = $t_manage_arr[2];
} else {
$f_dir = 'DESC';
}

# Show Disabled
if ( isset( $t_manage_arr[3] ) ) {
$f_show_disabled = $t_manage_arr[3];
}
} else {
$f_sort = gpc_get_string( 'sort', 'username' );
$f_dir = gpc_get_string( 'dir', 'ASC' );
$f_hide_inactive = gpc_get_bool( 'hideinactive' );
$f_show_disabled = gpc_get_bool( 'showdisabled' );
}

# Clean up the form variables
if( !db_field_exists( $f_sort, db_get_table( 'user' ) ) ) {
Expand All @@ -90,30 +117,6 @@
if( $f_save ) {
$t_manage_string = $c_hide_inactive.':'.$c_sort.':'.$c_dir.':'.$c_show_disabled;
gpc_set_cookie( $t_cookie_name, $t_manage_string, true );
} else if( !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) {
$t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) );

# Hide Inactive
$c_hide_inactive = $t_manage_arr[0];

# Sort field
if( isset( $t_manage_arr[1] ) ) {
$c_sort = $t_manage_arr[1];
} else {
$c_sort = 'username';
}

# Sort order
if( isset( $t_manage_arr[2] ) ) {
$c_dir = $t_manage_arr[2];
} else {
$c_dir = 'DESC';
}

# Show Disabled
if( isset( $t_manage_arr[3] ) ) {
$c_show_disabled = $t_manage_arr[3];
}
}

html_page_top( lang_get( 'manage_users_link' ) );
Expand Down

0 comments on commit 7cc4539

Please sign in to comment.