Skip to content
Browse files

Fix SQL injection vulnerability in adm_config_report.php

Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) reported this
issue, introduced by f8a81a3 in
MantisBT 1.2.13.

Root cause is the use of unsanitized inlined query parameters.

Fixes #17055
  • Loading branch information...
1 parent 4009cc0 commit a608f2d00a6eb0641605358cb683c176e671dc04 @dregad dregad committed Feb 28, 2014
Showing with 8 additions and 4 deletions.
  1. +8 −4 adm_config_report.php
View
12 adm_config_report.php
@@ -216,14 +216,18 @@ function print_option_list_from_array( $p_array, $p_filter_value ) {
# Build filter's where clause
$t_where = '';
+ $t_param = array();
if( $t_filter_user_value != META_FILTER_NONE ) {
- $t_where .= " AND user_id = $t_filter_user_value ";
+ $t_where .= " AND user_id = " . db_param();
+ $t_param[] = $t_filter_user_value;
}
if( $t_filter_project_value != META_FILTER_NONE ) {
- $t_where .= " AND project_id = $t_filter_project_value ";
+ $t_where .= " AND project_id = " . db_param();
+ $t_param[] = $t_filter_project_value;
}
if( $t_filter_config_value != META_FILTER_NONE ) {
- $t_where .= " AND config_id = '$t_filter_config_value' ";
+ $t_where .= " AND config_id = " . db_param();
+ $t_param[] = $t_filter_config_value;
}
if( $t_where != '' ) {
$t_where = " WHERE 1=1 " . $t_where;
@@ -233,7 +237,7 @@ function print_option_list_from_array( $p_array, $p_filter_value ) {
FROM $t_config_table
$t_where
ORDER BY user_id, project_id, config_id ";
- $result = db_query_bound( $query );
+ $result = db_query_bound( $query, $t_param );
?>
<br />

0 comments on commit a608f2d

Please sign in to comment.
Something went wrong with that request. Please try again.