From a608f2d00a6eb0641605358cb683c176e671dc04 Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Fri, 28 Feb 2014 18:23:14 +0100 Subject: [PATCH] Fix SQL injection vulnerability in adm_config_report.php Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) reported this issue, introduced by f8a81a33880752364ea47bdd9a987bff986c81de in MantisBT 1.2.13. Root cause is the use of unsanitized inlined query parameters. Fixes #17055 --- adm_config_report.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/adm_config_report.php b/adm_config_report.php index 8f78f58f1d..aeb4330fa6 100644 --- a/adm_config_report.php +++ b/adm_config_report.php @@ -216,14 +216,18 @@ function print_option_list_from_array( $p_array, $p_filter_value ) { # Build filter's where clause $t_where = ''; + $t_param = array(); if( $t_filter_user_value != META_FILTER_NONE ) { - $t_where .= " AND user_id = $t_filter_user_value "; + $t_where .= " AND user_id = " . db_param(); + $t_param[] = $t_filter_user_value; } if( $t_filter_project_value != META_FILTER_NONE ) { - $t_where .= " AND project_id = $t_filter_project_value "; + $t_where .= " AND project_id = " . db_param(); + $t_param[] = $t_filter_project_value; } if( $t_filter_config_value != META_FILTER_NONE ) { - $t_where .= " AND config_id = '$t_filter_config_value' "; + $t_where .= " AND config_id = " . db_param(); + $t_param[] = $t_filter_config_value; } if( $t_where != '' ) { $t_where = " WHERE 1=1 " . $t_where; @@ -233,7 +237,7 @@ function print_option_list_from_array( $p_array, $p_filter_value ) { FROM $t_config_table $t_where ORDER BY user_id, project_id, config_id "; - $result = db_query_bound( $query ); + $result = db_query_bound( $query, $t_param ); ?>