New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-3286 - SQL injection incomplete fix #653
Comments
|
Thank you for bringing this to our attention, we will have a look and see when we can fix this but it may take some time. |
CVE-2021-3286 was assigned to this issue. |
|
Parameterized queries would, combined with a white list instead of a black list, would solve this I think. For information on using parameterized queries with PHP see https://www.php.net/manual/en/pdo.prepared-statements.php |
|
That's already known for a long time. But the nature of spotweb filters keeps us from using parameterized query's. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
It looks though strange that a bot would close the valid issue which is still unfixed. Is there any chance to prevent that (i.e. without need to ping the bug to remove the stable label) |
|
You've just prevented that. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
well ping to the bot then. |
|
For clarity, as far as I understand this issue was manually closed not because it was fixed, but because it was deemed unfixable. |
|
You're welcome to fix it if you can. |
|
Thanks for your quick confirmation, appreciated. |
Describe the bug/issue
Hi, I'm part of the Debian LTS Team and I'm investigating CVE-2020-35545, reported under #629, describes an SQL injection.
The fix from fefb39a / 25c1f89 introduces a black list and a regex to attempt to filter out the malicious payload.
The fix is incomplete and a variation of the example payload escapes the black list.
Have you searched the internet or Github for an answer?
Yes.
To Reproduce
Expected behavior
User input escaped in SQL query.
Desktop
Additional context
Using a blacklist filter is not recommended in this scenario, because SQL/MySQL queries can be written in varied and unexpected ways, see e.g.:
http://cwe.mitre.org/data/definitions/89.html
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
which recommends parametrization and white lists, among other solutions.
The procedure is to request a new CVE identifier when an vulnerability was previously considered fixed.
I plan to do that, unless you tell me not to before the end of the week.
The text was updated successfully, but these errors were encountered: