Skip to content

Commit 7efe017

Browse files
mantisdregad
authored andcommitted
Fix CVE-2014-1609: SQL injection vulnerabilities
Additional cases of db_query() instead of db_query_bound() usage, potentially allowing SQL injection attacks due to unsanitized use of parameters within the query. This includes vboctor's 2 comments. Fixes #16880 Signed-off-by: Damien Regad <dregad@mantisbt.org> Conflicts: admin/db_stats.php plugins/MantisGraph/pages/bug_graph_bycategory.php plugins/MantisGraph/pages/bug_graph_bystatus.php proj_doc_page.php
1 parent 00b4c17 commit 7efe017

File tree

8 files changed

+56
-46
lines changed

8 files changed

+56
-46
lines changed

Diff for: admin/db_stats.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -30,11 +30,11 @@
3030
# --------------------
3131
function helper_table_row_count( $p_table ) {
3232
$t_table = $p_table;
33-
$query = "SELECT COUNT(*) FROM $t_table";
34-
$result = db_query_bound( $query );
35-
$t_users = db_result( $result );
33+
$t_query = "SELECT COUNT(*) FROM $t_table";
34+
$t_result = db_query_bound( $t_query );
35+
$t_count = db_result( $t_result );
3636

37-
return $t_users;
37+
return $t_count;
3838
}
3939

4040
# --------------------

Diff for: api/soap/mc_project_api.php

+6-6
Original file line numberDiff line numberDiff line change
@@ -706,14 +706,14 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
706706
FROM $t_project_file_table pft
707707
LEFT JOIN $t_project_table pt ON pft.project_id = pt.id
708708
LEFT JOIN $t_project_user_list_table pult
709-
ON pft.project_id = pult.project_id AND pult.user_id = $t_user_id
710-
LEFT JOIN $t_user_table ut ON ut.id = $t_user_id
709+
ON pft.project_id = pult.project_id AND pult.user_id = " . db_param() . "
710+
LEFT JOIN $t_user_table ut ON ut.id = " . db_param() . "
711711
WHERE pft.project_id in (" . implode( ',', $t_projects ) . ") AND
712-
( ( ( pt.view_state = $t_pub OR pt.view_state is null ) AND pult.user_id is null AND ut.access_level $t_access_clause ) OR
713-
( ( pult.user_id = $t_user_id ) AND ( pult.access_level $t_access_clause ) ) OR
714-
( ut.access_level = $t_admin ) )
712+
( ( ( pt.view_state = " . db_param() . " OR pt.view_state is null ) AND pult.user_id is null AND ut.access_level $t_access_clause ) OR
713+
( ( pult.user_id = " . db_param() . " ) AND ( pult.access_level $t_access_clause ) ) OR
714+
( ut.access_level = " . db_param() . " ) )
715715
ORDER BY pt.name ASC, pft.title ASC";
716-
$result = db_query( $query );
716+
$result = db_query_bound( $query, array( $t_user_id, $t_user_id, $t_pub, $t_user_id, $t_admin ) );
717717
$num_files = db_num_rows( $result );
718718

719719
$t_result = array();

Diff for: core/news_api.php

+5-3
Original file line numberDiff line numberDiff line change
@@ -266,13 +266,15 @@ function news_get_limited_rows( $p_offset, $p_project_id = null ) {
266266

267267
if( 1 == count( $t_projects ) ) {
268268
$c_project_id = $t_projects[0];
269-
$query .= " WHERE project_id='$c_project_id'";
269+
$query .= " WHERE project_id=" . db_params();
270+
$t_params = array( $c_project_id );
270271
} else {
271272
$query .= ' WHERE project_id IN (' . join( $t_projects, ',' ) . ')';
273+
$t_params = null;
272274
}
273275

274276
$query .= ' ORDER BY announcement DESC, id DESC';
275-
$result = db_query( $query, $t_news_view_limit, $c_offset );
277+
$result = db_query_bound( $query, $t_params, $t_news_view_limit, $c_offset );
276278
break;
277279
case 1:
278280

@@ -323,4 +325,4 @@ function news_ensure_enabled() {
323325
if ( !news_is_enabled() ) {
324326
access_denied();
325327
}
326-
}
328+
}

Diff for: core/summary_api.php

+8-8
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ function summary_print_by_enum( $p_enum ) {
7777
WHERE $t_project_filter
7878
GROUP BY $p_enum $t_status_query
7979
ORDER BY $p_enum $t_status_query";
80-
$result = db_query( $query );
80+
$result = db_query_bound( $query );
8181

8282
$t_last_value = -1;
8383
$t_bugs_open = 0;
@@ -374,10 +374,10 @@ function summary_print_by_age() {
374374
return;
375375
}
376376
$query = "SELECT * FROM $t_mantis_bug_table
377-
WHERE status < $t_resolved
377+
WHERE status < " . db_param() . "
378378
AND $specific_where
379379
ORDER BY date_submitted ASC, priority DESC";
380-
$result = db_query( $query );
380+
$result = db_query_bound( $query, array( $t_resolved ) );
381381

382382
$t_count = 0;
383383
$t_private_bug_threshold = config_get( 'private_bug_threshold' );
@@ -423,7 +423,7 @@ function summary_print_by_developer() {
423423
WHERE handler_id>0 AND $specific_where
424424
GROUP BY handler_id, status
425425
ORDER BY handler_id, status";
426-
$result = db_query( $query );
426+
$result = db_query_bound( $query );
427427

428428
$t_last_handler = -1;
429429
$t_bugs_open = 0;
@@ -524,7 +524,7 @@ function summary_print_by_reporter() {
524524
WHERE $specific_where
525525
GROUP BY reporter_id
526526
ORDER BY num DESC";
527-
$result = db_query( $query, $t_reporter_summary_limit );
527+
$result = db_query_bound( $query, null, $t_reporter_summary_limit );
528528

529529
$t_reporters = array();
530530
while( $row = db_fetch_array( $result ) ) {
@@ -536,11 +536,11 @@ function summary_print_by_reporter() {
536536
foreach( $t_reporters as $t_reporter ) {
537537
$v_reporter_id = $t_reporter;
538538
$query = "SELECT COUNT(id) as bugcount, status FROM $t_mantis_bug_table
539-
WHERE reporter_id=$v_reporter_id
539+
WHERE reporter_id=" . db_param() . "
540540
AND $specific_where
541541
GROUP BY status
542542
ORDER BY status";
543-
$result2 = db_query( $query );
543+
$result2 = db_query_bound( $query, array( $v_reporter_id ) );
544544

545545
$last_reporter = -1;
546546
$t_bugs_open = 0;
@@ -608,7 +608,7 @@ function summary_print_by_category() {
608608
GROUP BY $t_project_query c.name, b.category_id, b.status
609609
ORDER BY $t_project_query c.name";
610610

611-
$result = db_query( $query );
611+
$result = db_query_bound( $query );
612612

613613
$last_category_name = -1;
614614
$last_category_id = -1;

Diff for: plugins/MantisGraph/core/graph_api.php

+23-15
Original file line numberDiff line numberDiff line change
@@ -583,11 +583,15 @@ function create_bug_enum_summary( $p_enum_string, $p_enum ) {
583583
$t_metrics = array();
584584
$t_assoc_array = MantisEnum::getAssocArrayIndexedByValues( $p_enum_string );
585585

586+
if( !db_field_exists( $p_enum, $t_bug_table ) ) {
587+
trigger_error( ERROR_DB_FIELD_NOT_FOUND, ERROR );
588+
}
589+
586590
foreach ( $t_assoc_array as $t_value => $t_label ) {
587591
$query = "SELECT COUNT(*)
588592
FROM $t_bug_table
589-
WHERE $p_enum='$t_value' $specific_where";
590-
$result = db_query( $query );
593+
WHERE $p_enum=" . db_param() . " $specific_where";
594+
$result = db_query_bound( $query, array( $t_value ) );
591595
$t_metrics[$t_label] = db_result( $result, 0 );
592596
}
593597

@@ -605,32 +609,36 @@ function enum_bug_group( $p_enum_string, $p_enum ) {
605609
$t_clo_val = config_get( 'bug_closed_status_threshold' );
606610
$specific_where = " AND " . helper_project_specific_where( $t_project_id, $t_user_id );
607611

612+
if( !db_field_exists( $p_enum, $t_bug_table ) ) {
613+
trigger_error( ERROR_DB_FIELD_NOT_FOUND, ERROR );
614+
}
615+
608616
$t_array_indexed_by_enum_values = MantisEnum::getAssocArrayIndexedByValues( $p_enum_string );
609617
$enum_count = count( $t_array_indexed_by_enum_values );
610618
foreach ( $t_array_indexed_by_enum_values as $t_value => $t_label ) {
611619
# Calculates the number of bugs opened and puts the results in a table
612620
$query = "SELECT COUNT(*)
613621
FROM $t_bug_table
614-
WHERE $p_enum='$t_value' AND
615-
status<'$t_res_val' $specific_where";
616-
$result2 = db_query( $query );
622+
WHERE $p_enum=" . db_param() . " AND
623+
status<" . db_param() . " $specific_where";
624+
$result2 = db_query( $query, array( $t_value, $t_res_val ) );
617625
$t_metrics['open'][$t_label] = db_result( $result2, 0, 0 );
618626

619627
# Calculates the number of bugs closed and puts the results in a table
620628
$query = "SELECT COUNT(*)
621629
FROM $t_bug_table
622-
WHERE $p_enum='$t_value' AND
623-
status>='$t_clo_val' $specific_where";
624-
$result2 = db_query( $query );
630+
WHERE $p_enum=" . db_param() . " AND
631+
status>=" . db_param() . " $specific_where";
632+
$result2 = db_query_bound( $query, array( $t_value, $t_clo_val ) );
625633
$t_metrics['closed'][$t_label] = db_result( $result2, 0, 0 );
626634

627635
# Calculates the number of bugs resolved and puts the results in a table
628636
$query = "SELECT COUNT(*)
629637
FROM $t_bug_table
630-
WHERE $p_enum='$t_value' AND
631-
status>='$t_res_val' AND
632-
status<'$t_clo_val' $specific_where";
633-
$result2 = db_query( $query );
638+
WHERE $p_enum=" . db_param() . " AND
639+
status>=" . db_param() . " AND
640+
status<" . db_param() . " $specific_where";
641+
$result2 = db_query_bound( $query, array( $t_value, $t_res_val, $t_clo_val ) );
634642
$t_metrics['resolved'][$t_label] = db_result( $result2, 0, 0 );
635643
}
636644

@@ -818,12 +826,12 @@ function create_cumulative_bydate() {
818826
FROM $t_bug_table LEFT JOIN $t_history_table
819827
ON $t_bug_table.id = $t_history_table.bug_id
820828
WHERE $specific_where
821-
AND $t_bug_table.status >= '$t_res_val'
822-
AND ( ( $t_history_table.new_value >= '$t_res_val'
829+
AND $t_bug_table.status >= " . db_param() . "
830+
AND ( ( $t_history_table.new_value >= " . db_param() . "
823831
AND $t_history_table.field_name = 'status' )
824832
OR $t_history_table.id is NULL )
825833
ORDER BY $t_bug_table.id, date_modified ASC";
826-
$result = db_query( $query );
834+
$result = db_query( $query, array( $t_res_val, $t_res_val ) );
827835
$bug_count = db_num_rows( $result );
828836

829837
$t_last_id = 0;

Diff for: plugins/MantisGraph/pages/bug_graph_bycategory.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -105,9 +105,9 @@
105105
' WHERE bug_id in ('.implode(',', $t_bug).') and '.
106106
'( (type='.NORMAL_TYPE.' and field_name=\'category\') or '.
107107
'(type='.NORMAL_TYPE.' and field_name=\'status\') or type='.NEW_BUG.' ) and '.
108-
'date_modified >= \''. $t_start .'\''.
108+
'date_modified >= ' . db_param() .
109109
' order by date_modified DESC';
110-
$t_result = db_query( $t_select );
110+
$t_result = db_query_bound( $t_select, array( $t_start ) );
111111
$row = db_fetch_array( $t_result );
112112

113113
for ($t_now = time() - $t_incr; $t_now >= $t_start; $t_now -= $t_incr) {

Diff for: plugins/MantisGraph/pages/bug_graph_bystatus.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -101,9 +101,9 @@
101101
$t_select = 'SELECT bug_id, type, old_value, new_value, date_modified FROM '.$t_bug_hist_table.
102102
' WHERE bug_id in ('.implode(',', $t_bug).
103103
') and ( (type='.NORMAL_TYPE.' and field_name=\'status\')
104-
or type='.NEW_BUG.' ) and date_modified >= \''. $t_start .'\''.
104+
or type='.NEW_BUG.' ) and date_modified >= ' . db_param() .
105105
' order by date_modified DESC';
106-
$t_result = db_query( $t_select );
106+
$t_result = db_query_bound( $t_select, array( $t_start ) );
107107
$t_row = db_fetch_array( $t_result );
108108

109109
for ($t_now = time() - $t_incr; $t_now >= $t_start; $t_now -= $t_incr) {

Diff for: proj_doc_page.php

+6-6
Original file line numberDiff line numberDiff line change
@@ -71,14 +71,14 @@
7171
FROM $t_project_file_table pft
7272
LEFT JOIN $t_project_table pt ON pft.project_id = pt.id
7373
LEFT JOIN $t_project_user_list_table pult
74-
ON pft.project_id = pult.project_id AND pult.user_id = $t_user_id
75-
LEFT JOIN $t_user_table ut ON ut.id = $t_user_id
74+
ON pft.project_id = pult.project_id AND pult.user_id = " . db_param() . "
75+
LEFT JOIN $t_user_table ut ON ut.id = " . db_param() . "
7676
WHERE pft.project_id in (" . implode( ',', $t_projects ) . ") AND
77-
( ( ( pt.view_state = $t_pub OR pt.view_state is null ) AND pult.user_id is null AND ut.access_level $t_access_clause ) OR
78-
( ( pult.user_id = $t_user_id ) AND ( pult.access_level $t_access_clause ) ) OR
79-
( ut.access_level >= $t_admin ) )
77+
( ( ( pt.view_state = " . db_param() . " OR pt.view_state is null ) AND pult.user_id is null AND ut.access_level $t_access_clause ) OR
78+
( ( pult.user_id = " . db_param() . " ) AND ( pult.access_level $t_access_clause ) ) OR
79+
( ut.access_level >= " . db_param() . " ) )
8080
ORDER BY pt.name ASC, pft.title ASC";
81-
$result = db_query( $query );
81+
$result = db_query_bound( $query, array( $t_user_id, $t_user_id, $t_pub, $t_user_id, $t_admin ) );
8282
$num_files = db_num_rows( $result );
8383

8484
html_page_top( lang_get( 'docs_link' ) );

0 commit comments

Comments
 (0)