Skip to content

Commit 7cc4539

Browse files
committed
Fix SQL injection in manage_user_page.php
This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243). To avoid injection, the parameters we get from the cookie are now properly sanitized before being used in the SQL query. Fixes #17940
1 parent 75c87e6 commit 7cc4539

File tree

1 file changed

+34
-31
lines changed

1 file changed

+34
-31
lines changed

Diff for: manage_user_page.php

+34-31
Original file line numberDiff line numberDiff line change
@@ -57,17 +57,44 @@
5757

5858
access_ensure_global_level( config_get( 'manage_user_threshold' ) );
5959

60-
$f_sort = gpc_get_string( 'sort', 'username' );
61-
$f_dir = gpc_get_string( 'dir', 'ASC' );
62-
$f_hide_inactive = gpc_get_bool( 'hideinactive' );
63-
$f_show_disabled = gpc_get_bool( 'showdisabled' );
60+
$t_cookie_name = config_get( 'manage_users_cookie' );
61+
$t_lock_image = '<img src="' . config_get( 'icon_path' ) . 'protected.gif" width="8" height="15" border="0" alt="' . lang_get( 'protected' ) . '" />';
62+
$c_filter = '';
63+
6464
$f_save = gpc_get_bool( 'save' );
6565
$f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) );
6666
$f_page_number = gpc_get_int( 'page_number', 1 );
6767

68-
$t_cookie_name = config_get( 'manage_users_cookie' );
69-
$t_lock_image = '<img src="' . config_get( 'icon_path' ) . 'protected.gif" width="8" height="15" alt="' . lang_get( 'protected' ) . '" />';
70-
$c_filter = '';
68+
if( !$f_save && !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) {
69+
$t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) );
70+
71+
# Hide Inactive
72+
$f_hide_inactive = (bool)$t_manage_arr[0];
73+
74+
# Sort field
75+
if ( isset( $t_manage_arr[1] ) ) {
76+
$f_sort = $t_manage_arr[1];
77+
} else {
78+
$f_sort = 'username';
79+
}
80+
81+
# Sort order
82+
if ( isset( $t_manage_arr[2] ) ) {
83+
$f_dir = $t_manage_arr[2];
84+
} else {
85+
$f_dir = 'DESC';
86+
}
87+
88+
# Show Disabled
89+
if ( isset( $t_manage_arr[3] ) ) {
90+
$f_show_disabled = $t_manage_arr[3];
91+
}
92+
} else {
93+
$f_sort = gpc_get_string( 'sort', 'username' );
94+
$f_dir = gpc_get_string( 'dir', 'ASC' );
95+
$f_hide_inactive = gpc_get_bool( 'hideinactive' );
96+
$f_show_disabled = gpc_get_bool( 'showdisabled' );
97+
}
7198

7299
# Clean up the form variables
73100
if( !db_field_exists( $f_sort, db_get_table( 'user' ) ) ) {
@@ -90,30 +117,6 @@
90117
if( $f_save ) {
91118
$t_manage_string = $c_hide_inactive.':'.$c_sort.':'.$c_dir.':'.$c_show_disabled;
92119
gpc_set_cookie( $t_cookie_name, $t_manage_string, true );
93-
} else if( !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) {
94-
$t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) );
95-
96-
# Hide Inactive
97-
$c_hide_inactive = $t_manage_arr[0];
98-
99-
# Sort field
100-
if( isset( $t_manage_arr[1] ) ) {
101-
$c_sort = $t_manage_arr[1];
102-
} else {
103-
$c_sort = 'username';
104-
}
105-
106-
# Sort order
107-
if( isset( $t_manage_arr[2] ) ) {
108-
$c_dir = $t_manage_arr[2];
109-
} else {
110-
$c_dir = 'DESC';
111-
}
112-
113-
# Show Disabled
114-
if( isset( $t_manage_arr[3] ) ) {
115-
$c_show_disabled = $t_manage_arr[3];
116-
}
117120
}
118121

119122
html_page_top( lang_get( 'manage_users_link' ) );

0 commit comments

Comments
 (0)