List Info

Thread: SQL injection in AVP Module
SQL injection in AVP Module
country flaguser name
United States		 2007-09-26 02:01:20 
Bugs item #1802421, was opened at 2007-09-26 04:14
Message generated for change (Comment added) made by
henningw
You can respond by visiting: 
https://sourcefo
rge.net/tracker/?func=detail&atid=743020&aid=1802421
&group_id=139143

Please note that this message will contain a full copy of
the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver 1.2.x
>Status: Pending
Resolution: None
>Priority: 3
Private: No
Submitted By: Aron Rosenberg (amr42)
>Assigned to: Henning Westerholt (henningw)
Summary: SQL injection in AVP Module

Initial Comment:
The AVPOPS module function avp_db_query is susceptable to
SQL injection attacks because any AVP's used within the
query string are not escaped properly.

The UNIXODBC module has an existing sql escape function
which could be used in this case and it also has a module
paramater to force escaping of paramaters used in queries.

A simple script example of the problem is this:
avp_printf ("$avp(to_displayname)" 
,"Mc'Dowell");
avp_db_query ("select * from table where a='$tn' and
b=1")

On MySQL backend this will result in a SQL error on the
query, but if the avp var used comes from the wire a SQL
injection is possible.

------------------------------------------------------------
----------

>Comment By: Henning Westerholt (henningw)
Date: 2007-09-26 07:01

Message:
Logged In: YES 
user_id=337916
Originator: NO

I've add a note about this behaviour to the function in the
trunk and 1.2
branch.

It is possible, make it sense to escape all pv automatically
in
avp_db_query? 

Henning

------------------------------------------------------------
----------

Comment By: Klaus Darilion (klaus_darilion)
Date: 2007-09-26 06:14

Message:
Logged In: YES 
user_id=1318360
Originator: NO

This is a known limitation of the RAW queries. You have to
escape the
parameters manually:
http://www.openser.org/dokuwiki/do
ku.php/transformations:1.2.x#s.escape.common

Probably we should add this to the avpops README.

------------------------------------------------------------
----------

You can respond by visiting: 
https://sourcefo
rge.net/tracker/?func=detail&atid=743020&aid=1802421
&group_id=139143

_______________________________________________
Devel mailing list
Developenser.org
htt
p://openser.org/cgi-bin/mailman/listinfo/devel
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )