Fix SQL injection vulnerability in adm_config_report.php

Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) reported this issue, introduced by f8a81a3 in MantisBT 1.2.13. Root cause is the use of unsanitized inlined query parameters. Fixes #17055
mantisbt · Feb 28, 2014 · a608f2d · a608f2d
1 parent 4009cc0
commit a608f2d
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/adm_config_report.php b/adm_config_report.php
@@ -216,14 +216,18 @@ function print_option_list_from_array( $p_array, $p_filter_value ) {
 
 	# Build filter's where clause
 	$t_where = '';
+	$t_param = array();
 	if( $t_filter_user_value != META_FILTER_NONE ) {
-		$t_where .= " AND user_id = $t_filter_user_value ";
+		$t_where .= " AND user_id = " . db_param();
+		$t_param[] = $t_filter_user_value;
 	}
 	if( $t_filter_project_value != META_FILTER_NONE ) {
-		$t_where .= " AND project_id = $t_filter_project_value ";
+		$t_where .= " AND project_id = " . db_param();
+		$t_param[] = $t_filter_project_value;
 	}
 	if( $t_filter_config_value != META_FILTER_NONE ) {
-		$t_where .= " AND config_id = '$t_filter_config_value' ";
+		$t_where .= " AND config_id = " . db_param();
+		$t_param[] = $t_filter_config_value;
 	}
 	if( $t_where != '' ) {
 		$t_where = " WHERE 1=1 " . $t_where;
@@ -233,7 +237,7 @@ function print_option_list_from_array( $p_array, $p_filter_value ) {
 		FROM $t_config_table
 		$t_where
 		ORDER BY user_id, project_id, config_id ";
-	$result = db_query_bound( $query );
+	$result = db_query_bound( $query, $t_param );
 ?>
 
 <br />