SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue #16880. Edwin Gozeling and Wim Visser from ITsec Security Services BV (http://www.itsec.nl) discovered that the fix in #16880 did not fully address the problem. Their research demonstrate that using a specially crafted project id parameter, an attacker could still perform an SQL injection. The same issue was also reported by Paul Richards in issue #17823. This patch fixes the problem by typecasting the Project ID parameter to Integer. Fixes #17812, CVE-2014-8554
mantisbt · Nov 1, 2014 · 99ffb0a · 99ffb0a
1 parent 43c39d7
commit 99ffb0a
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
 		return mci_soap_fault_login_failed();
 	}
 
+	$p_project_id = (int)$p_project_id;
 	$g_project_override = $p_project_id;
 
 	# Check if project documentation feature is enabled.