Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fix CVE-2014-1608: mc_issue_attachment_get SQL injection

Use of db_query() instead of db_query_bound() allowed SQL injection
attacks due to unsanitized use of parameters within the query when using
the SOAP API mc_issue_attachment_get.

This issue was reported by e-mail by Andrea Barisani from oCERT, on
behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security
researcher at n.runs professionals GmbH, who discovered the issue
during an audit at a customer's site.

Fixes #16879

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Conflicts:
	api/soap/mc_file_api.php
  • Loading branch information...
commit 00b4c17088fa56594d85fe46b6c6057bb3421102 1 parent b72fdae
@grangeway grangeway authored dregad committed
Showing with 4 additions and 8 deletions.
  1. +4 −8 api/soap/mc_file_api.php
View
12 api/soap/mc_file_api.php
@@ -154,25 +154,21 @@ function mci_file_get( $p_file_id, $p_type, $p_user_id ) {
# we handle the case where the file is attached to a bug
# or attached to a project as a project doc.
- $query = '';
+ $t_query = '';
switch( $p_type ) {
case 'bug':
$t_bug_file_table = db_get_table( 'mantis_bug_file_table' );
- $query = "SELECT *
- FROM $t_bug_file_table
- WHERE id='$p_file_id'";
+ $t_query = "SELECT * FROM $t_bug_file_table WHERE id=" . db_param();
break;
case 'doc':
$t_project_file_table = db_get_table( 'mantis_project_file_table' );
- $query = "SELECT *
- FROM $t_project_file_table
- WHERE id='$p_file_id'";
+ $t_query = "SELECT * FROM $t_project_file_table WHERE id=" . db_param();
break;
default:
return SoapObjectsFactory::newSoapFault( 'Server', 'Invalid file type '.$p_type. ' .' );
}
- $result = db_query( $query );
+ $result = db_query_bound( $t_query, array( $p_file_id ) );
if ( $result->EOF ) {
return SoapObjectsFactory::newSoapFault( 'Client', 'Unable to find an attachment with type ' . $p_type. ' and id ' . $p_file_id . ' .' );
Please sign in to comment.
Something went wrong with that request. Please try again.