Skip to content

Commit 00b4c17

Browse files
mantisdregad
authored andcommitted
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection
Use of db_query() instead of db_query_bound() allowed SQL injection attacks due to unsanitized use of parameters within the query when using the SOAP API mc_issue_attachment_get. This issue was reported by e-mail by Andrea Barisani from oCERT, on behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security researcher at n.runs professionals GmbH, who discovered the issue during an audit at a customer's site. Fixes #16879 Signed-off-by: Damien Regad <dregad@mantisbt.org> Conflicts: api/soap/mc_file_api.php
1 parent b72fdae commit 00b4c17

File tree

1 file changed

+4
-8
lines changed

1 file changed

+4
-8
lines changed

Diff for: api/soap/mc_file_api.php

+4-8
Original file line numberDiff line numberDiff line change
@@ -154,25 +154,21 @@ function mci_file_get( $p_file_id, $p_type, $p_user_id ) {
154154

155155
# we handle the case where the file is attached to a bug
156156
# or attached to a project as a project doc.
157-
$query = '';
157+
$t_query = '';
158158
switch( $p_type ) {
159159
case 'bug':
160160
$t_bug_file_table = db_get_table( 'mantis_bug_file_table' );
161-
$query = "SELECT *
162-
FROM $t_bug_file_table
163-
WHERE id='$p_file_id'";
161+
$t_query = "SELECT * FROM $t_bug_file_table WHERE id=" . db_param();
164162
break;
165163
case 'doc':
166164
$t_project_file_table = db_get_table( 'mantis_project_file_table' );
167-
$query = "SELECT *
168-
FROM $t_project_file_table
169-
WHERE id='$p_file_id'";
165+
$t_query = "SELECT * FROM $t_project_file_table WHERE id=" . db_param();
170166
break;
171167
default:
172168
return SoapObjectsFactory::newSoapFault( 'Server', 'Invalid file type '.$p_type. ' .' );
173169
}
174170

175-
$result = db_query( $query );
171+
$result = db_query_bound( $t_query, array( $p_file_id ) );
176172

177173
if ( $result->EOF ) {
178174
return SoapObjectsFactory::newSoapFault( 'Client', 'Unable to find an attachment with type ' . $p_type. ' and id ' . $p_file_id . ' .' );

0 commit comments

Comments
 (0)