Skip to content
Permalink
Browse files

critical bugfix to motd.php (sql injection attack)

  • Loading branch information...
NB-Core committed Apr 26, 2019
1 parent 424ae1a commit 4e6f8394e36f7c43ba8f56a31c6337f937251023
Showing with 12 additions and 5 deletions.
  1. +1 −0 CHANGELOG.txt
  2. +11 −5 motd.php
@@ -1,6 +1,7 @@
Changes to 1.2.6 +nb
[FIXES]
*lib/all_tables.php and several --> 0000-00-00 00:00:00 is not valid DATETIME since MySQL 5.7 anymore. Hence, new constants DATETIME_DATEMIN and _DATEMAX have been introduced in lib/constants.php. Default is set to 1970-01-01 ... and 2159-01-01 ... - max could be 9999-12-31, but if I get older than 160 years, I'll fix that for you
*motd.php --> critical SQL injection attack fix. Month in httppost was not escaped and directly patched into an SQL query!


Changes to 1.2.5 +nb
@@ -58,10 +58,16 @@
/*
motditem("Beta!","Please see the beta message below.","","", "");
*/
$m = httppost("month");
if ($m > ""){
$sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor WHERE motddate >= '{$m}-01' AND motddate <= '{$m}-31' ORDER BY motddate DESC";
$result = db_query_cached($sql,"motd-$m");
$month_post = httppost("month");
//SQL Injection attack possible -> kill it off after 7 letters as format is i.e. "2000-05"
$month_post = substr($month_post,0,7);
if (preg_match("/[0-9][0-9][0-9][0-9]-[0-9][0-9]/",$month_post)!==1) {
//hack attack
$month_post="";
}
if ($month_post > ""){
$sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor WHERE motddate >= '{$month_post}-01' AND motddate <= '{$month_post}-31' ORDER BY motddate DESC";
$result = db_query_cached($sql,"motd-$month_post");
}else{
$sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor ORDER BY motddate DESC limit $newcount,".($newcount+$count);
if ($newcount=0) //cache only the last x items
@@ -97,7 +103,7 @@
while ($row = db_fetch_assoc($result)){
$time = strtotime("{$row['d']}-01");
$m = translate_inline(date("M",$time));
rawoutput ("<option value='{$row['d']}'".(httpget("month")==$row['d']?" selected":"").">$m".date(", Y",$time)." ({$row['c']})</option>");
rawoutput ("<option value='{$row['d']}'".($month_post==$row['d']?" selected":"").">$m".date(", Y",$time)." ({$row['c']})</option>");
}
rawoutput("</select>".tlbutton_clear());
$showmore=translate_inline("Show more");

0 comments on commit 4e6f839

Please sign in to comment.
You can’t perform that action at this time.