Skip to content

Commit 69c2d28

Browse files
committed
Fix SQL injection in manage_user_page.php
This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243). To avoid injection, the parameters we get from the cookie are now properly sanitized before being used in the SQL query. Fixes #17940
1 parent 580d45e commit 69c2d28

File tree

1 file changed

+35
-32
lines changed

1 file changed

+35
-32
lines changed

Diff for: manage_user_page.php

+35-32
Original file line numberDiff line numberDiff line change
@@ -31,19 +31,46 @@
3131

3232
access_ensure_global_level( config_get( 'manage_user_threshold' ) );
3333

34-
$f_sort = gpc_get_string( 'sort', 'username' );
35-
$f_dir = gpc_get_string( 'dir', 'ASC' );
36-
$f_hide_inactive = gpc_get_bool( 'hideinactive' );
37-
$f_show_disabled = gpc_get_bool( 'showdisabled' );
38-
$f_save = gpc_get_bool( 'save' );
39-
$f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) );
40-
$f_page_number = gpc_get_int( 'page_number', 1 );
41-
4234
$t_user_table = db_get_table( 'mantis_user_table' );
4335
$t_cookie_name = config_get( 'manage_users_cookie' );
4436
$t_lock_image = '<img src="' . config_get( 'icon_path' ) . 'protected.gif" width="8" height="15" border="0" alt="' . lang_get( 'protected' ) . '" />';
4537
$c_filter = '';
4638

39+
$f_save = gpc_get_bool( 'save' );
40+
$f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) );
41+
$f_page_number = gpc_get_int( 'page_number', 1 );
42+
43+
if( !$f_save && !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) {
44+
$t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) );
45+
46+
# Hide Inactive
47+
$f_hide_inactive = (bool)$t_manage_arr[0];
48+
49+
# Sort field
50+
if ( isset( $t_manage_arr[1] ) ) {
51+
$f_sort = $t_manage_arr[1];
52+
} else {
53+
$f_sort = 'username';
54+
}
55+
56+
# Sort order
57+
if ( isset( $t_manage_arr[2] ) ) {
58+
$f_dir = $t_manage_arr[2];
59+
} else {
60+
$f_dir = 'DESC';
61+
}
62+
63+
# Show Disabled
64+
if ( isset( $t_manage_arr[3] ) ) {
65+
$f_show_disabled = $t_manage_arr[3];
66+
}
67+
} else {
68+
$f_sort = gpc_get_string( 'sort', 'username' );
69+
$f_dir = gpc_get_string( 'dir', 'ASC' );
70+
$f_hide_inactive = gpc_get_bool( 'hideinactive' );
71+
$f_show_disabled = gpc_get_bool( 'showdisabled' );
72+
}
73+
4774
# Clean up the form variables
4875
if ( !db_field_exists( $f_sort, $t_user_table ) ) {
4976
$c_sort = 'username';
@@ -65,30 +92,6 @@
6592
if ( $f_save ) {
6693
$t_manage_string = $c_hide_inactive.':'.$c_sort.':'.$c_dir.':'.$c_show_disabled;
6794
gpc_set_cookie( $t_cookie_name, $t_manage_string, true );
68-
} else if ( !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) {
69-
$t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) );
70-
71-
# Hide Inactive
72-
$c_hide_inactive = $t_manage_arr[0];
73-
74-
# Sort field
75-
if ( isset( $t_manage_arr[1] ) ) {
76-
$c_sort = $t_manage_arr[1];
77-
} else {
78-
$c_sort = 'username';
79-
}
80-
81-
# Sort order
82-
if ( isset( $t_manage_arr[2] ) ) {
83-
$c_dir = $t_manage_arr[2];
84-
} else {
85-
$c_dir = 'DESC';
86-
}
87-
88-
# Show Disabled
89-
if ( isset( $t_manage_arr[3] ) ) {
90-
$c_show_disabled = $t_manage_arr[3];
91-
}
9295
}
9396

9497
html_page_top( lang_get( 'manage_users_link' ) );

0 commit comments

Comments
 (0)