Moved sql where line to be included in count #1130

Merged
merged 1 commit into from May 26, 2015

Projects

None yet

2 participants

@laf
Member
laf commented May 25, 2015

Fixes #1129

@laf laf added the Bug label May 25, 2015
@paulgear
Member

I think we've got a bigger problem with this file, which is an SQL injection vulnerability on line 12. Try searching for "'); drop table devices; --" (without the double quotes), on an unimportant system and you'll see what I mean. ;-)

@laf
Member
laf commented May 26, 2015

Have you tested this or just read that pages code and assumed that's it not escaped?

$searchPhrase is run through mres() in html/ajax_table.php

'); drop table test; --

image

mysql> select * from test;
Empty set (0.00 sec)
@paulgear
Member

My assumption was based on reading the code only.

I still get nervous when I see variables inserted like that instead of parameterised, but if there's no way to hit that code without the variables being sanitised, I'm happy. :-)

👍

@paulgear paulgear merged commit bd46c09 into librenms:master May 26, 2015

1 check passed

Scrutinizer No new issues
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment