Skip to content
Permalink
Browse files Browse the repository at this point in the history
this codebase is riddled with sql injection vulnerabilities; fix some…
… of the key vulnerabilities in login/session code
  • Loading branch information
ryanberckmans committed Feb 13, 2013
1 parent 23836a0 commit 25afad5
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 22 deletions.
14 changes: 7 additions & 7 deletions www/cgi-bin/login.pl
Expand Up @@ -53,17 +53,17 @@
}

#login is real, check the password
$sth = $dbh->prepare("select id from users where name='$login' and pass=PASSWORD('$pass')");
$sth->execute;
my $login_sql = $dbh->prepare("select id from users where name=? and pass=PASSWORD(?)");
$login_sql->execute($login,$pass);

my $valid_login = $sth->rows;
my ($uid) = $sth->fetchrow_array;
my $valid_login = $login_sql->rows;
my ($uid) = $login_sql->fetchrow_array;

if ($valid_login) {
# Login was valid, get the current time.
my $sth = $dbh->prepare("select unix_timestamp(now())");
$sth->execute;
my ($time) = $sth->fetchrow_array;
my $time_sql = $dbh->prepare("select unix_timestamp(now())");
$time_sql->execute;
my ($time) = $time_sql->fetchrow_array;

my $magic = new_session($dbh, $uid);
my $CGI_params = $q->Vars;
Expand Down
29 changes: 14 additions & 15 deletions www/cgi-bin/session.pl
Expand Up @@ -17,8 +17,10 @@ sub new_session {
# Make sequence numbers random.
my $magic = int rand(2147483648);

$dbh->do("update users set magic=$magic where id=$uid");
$dbh->do("update users set session_stamp=now() where id=$uid");
my $sql = $dbh->prepare("update users set magic=? where id=?");
$sql->execute($magic,$uid);
$sql = $dbh->prepare("update users set session_stamp=now() where id=?");
$sql->execute($uid);

return $magic;
}
Expand All @@ -34,21 +36,18 @@ sub get_session {

# print "<p>PASSED uid, magic: $uid, $cgi_magic</p>";

my $sth = $dbh->prepare("select magic, UNIX_TIMESTAMP(now())-UNIX_TIMESTAMP(session_stamp) as elapsed from users where id=$uid");
$sth->execute;
my $sth = $dbh->prepare("select magic, UNIX_TIMESTAMP(now())-UNIX_TIMESTAMP(session_stamp) as elapsed from users where id=?");
$sth->execute($uid);
my ($db_magic, $elapsed) = $sth->fetchrow_array;

# print "<p>FOUND magic, elapsed: $db_magic, $elapsed</p>\n";

if (($db_magic == $cgi_magic) and ($elapsed < $session_timeout)) {
# Set a new session timestamp, update magic.
my $new_magic = int rand(2147483648);
$dbh->do("update users set session_stamp=now(), magic=$new_magic where id=$uid");
my $sql = $dbh->prepare("update users set session_stamp=now(), magic=? where id=?");
$sql->execute($new_magic,$uid);

# Put magic into cgi query.
# my $vars = $q->Vars;
# $vars->{'magic'} = $new_magic;
# Successfully continued session...
return 1;
}
else {
Expand All @@ -63,8 +62,8 @@ sub get_access {
my ($dbh, $q, $view_time) = @_;
my $uid = cook_int($q->param('uid'));

my $sth = $dbh->prepare("select access from users where id=$uid");
$sth->execute;
my $sth = $dbh->prepare("select access from users where id=?");
$sth->execute($uid);
my ($access) = $sth->fetchrow_array;

return $access;
Expand All @@ -76,8 +75,8 @@ sub no_access {
my $action = cook_word($q->param('action'));

# Log it.
my $sth = $dbh->prepare("insert into log (user,action,cdata1) values($uid,'accessdenied','$action')");
$sth->execute;
my $sth = $dbh->prepare("insert into log (user,action,cdata1) values(?,'accessdenied','$action')");
$sth->execute($uid);

# Notify the user.
print <<EOT;
Expand All @@ -96,8 +95,8 @@ sub get_session_info {
my $uid = cook_int($q->param('uid'));
my $magic = cook_int($q->param('magic'));

my $sth = $dbh->prepare("select magic from users where id=$uid");
$sth->execute;
my $sth = $dbh->prepare("select magic from users where id=?");
$sth->execute($uid);
my ($nextmagic) = $sth->fetchrow_array;

return "<input type='hidden' name='uid' value='$uid'>\n<input type='hidden' name='magic' value='$nextmagic'>\n";
Expand Down

0 comments on commit 25afad5

Please sign in to comment.