Skip to content
This repository
Browse code

* Fix SQL injection for comment.php used in read-context.

      (Thanks to High-Tech Bridge SA Security Release Lab, Advisory HTB23092)
  • Loading branch information...
commit 87153991d06bc18fe4af05f97810487c4a340a92 1 parent a6f37ee
Garvin Hicking authored May 16, 2012
6  docs/NEWS
... ...
@@ -1,5 +1,11 @@
1 1
 # $Id$
2 2
 
  3
+Version 1.6.2 (May 16th, 2012)
  4
+------------------------------------------------------------------------
  5
+
  6
+    * Fix SQL injection for comment.php used in read-context.     
  7
+      (Thanks to High-Tech Bridge SA Security Release Lab, Advisory HTB23092)
  8
+          
3 9
 Version 1.6.1 (May 8th, 2012)
4 10
 ------------------------------------------------------------------------
5 11
 
2  include/functions_trackbacks.inc.php
@@ -364,7 +364,7 @@ function add_trackback ($id, $title, $url, $name, $excerpt) {
364 364
 
365 365
     if ($id>0) {
366 366
         // first check, if we already have this trackback
367  
-        $comments = serendipity_fetchComments($id,1,'co.id',true,'TRACKBACK'," AND co.url='$url'");
  367
+        $comments = serendipity_fetchComments($id,1,'co.id',true,'TRACKBACK'," AND co.url='" . serendipity_db_escape_string($url) . "'");
368 368
         if (is_array($comments) && sizeof($comments) == 1) {
369 369
             log_pingback("We already have that TRACKBACK!");
370 370
             return 0; // We already have it!
2  serendipity_config.inc.php
@@ -45,7 +45,7 @@
45 45
 }
46 46
 
47 47
 // The version string
48  
-$serendipity['version']         = '1.6.1';
  48
+$serendipity['version']         = '1.6.2';
49 49
 
50 50
 // Setting this to 'false' will enable debugging output. All alpa/beta/cvs snapshot versions will emit debug information by default. To increase the debug level (to enable Smarty debugging), set this flag to 'debug'.
51 51
 $serendipity['production']      = (preg_match('@\-(alpha|beta|cvs)@', $serendipity['version']) ? false : true);

1 note on commit 8715399

q--

Since the bug has been fixed for half a year or so, I don't think it can cause any harm to link a page at the Microsoft Developer Network that explains how blind SQL injection holes are actually exploited: Time-Based Blind SQL Injection with Heavy Queries.

Also note that tools to automate this process are widely available.

Please sign in to comment.
Something went wrong with that request. Please try again.