Skip to content
Permalink
Browse files Browse the repository at this point in the history
Bug 14521: SQL injection in local use system preferences
This patch fixes a SQL injection vulnerability in the local use
system preferences.

_TEST PLAN_

Before applying:

1) Go to Global System Preferences
2) Click on the "Local use" tab
3) Add a new preference with the value "') or '1' = '1' -- "
(be sure to include the space at the end after the comment --).
4) When the page refreshes, you should now see about 99 other system
preferences which shouldn't be showing up.

5) Apply the patch

6) Refresh the page
7) Note that you now only see a system preference for "') or '1' = '1' -- "
and the other actual local use system preferences.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit a72262a)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
  • Loading branch information
minusdavid authored and wizzyrea committed Jul 21, 2015
1 parent 21d6252 commit 9513b93
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions admin/systempreferences.pl
Expand Up @@ -70,14 +70,16 @@ sub StringSearch {

my $strsth = "Select variable,value,explanation,type,options from systempreferences where variable in (";
my $first = 1;
my @sql_bind;
for my $name ( get_local_prefs() ) {
$strsth .= ',' unless $first;
$strsth .= "'$name'";
$strsth .= "?";
push(@sql_bind,$name);
$first = 0;
}
$strsth .= ") order by variable";
$sth = $dbh->prepare($strsth);
$sth->execute();
$sth->execute(@sql_bind);

while ( my $data = $sth->fetchrow_hashref ) {
unless (defined $data->{value}) { $data->{value} = "";}
Expand Down

0 comments on commit 9513b93

Please sign in to comment.