From 5eda2d414e13b7685bd1bb81791872d72c2a0f26 Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Sat, 27 Dec 2014 18:34:25 +0100 Subject: [PATCH 1/3] Fix SQL injection in manage_user_page.php This vulnerability was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243). To avoid injection, the parameters we get from the cookie are now properly sanitized before being used in the SQL query. Fixes #17940 --- manage_user_page.php | 67 +++++++++++++++++++++++++++------------------------- 1 file changed, 35 insertions(+), 32 deletions(-) diff --git a/manage_user_page.php b/manage_user_page.php index 0f964b5..c7c054a 100644 --- a/manage_user_page.php +++ b/manage_user_page.php @@ -31,19 +31,46 @@ access_ensure_global_level( config_get( 'manage_user_threshold' ) ); - $f_sort = gpc_get_string( 'sort', 'username' ); - $f_dir = gpc_get_string( 'dir', 'ASC' ); - $f_hide_inactive = gpc_get_bool( 'hideinactive' ); - $f_show_disabled = gpc_get_bool( 'showdisabled' ); - $f_save = gpc_get_bool( 'save' ); - $f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) ); - $f_page_number = gpc_get_int( 'page_number', 1 ); - $t_user_table = db_get_table( 'mantis_user_table' ); $t_cookie_name = config_get( 'manage_users_cookie' ); $t_lock_image = '' . lang_get( 'protected' ) . ''; $c_filter = ''; + $f_save = gpc_get_bool( 'save' ); + $f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) ); + $f_page_number = gpc_get_int( 'page_number', 1 ); + + if( !$f_save && !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) { + $t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) ); + + # Hide Inactive + $f_hide_inactive = (bool)$t_manage_arr[0]; + + # Sort field + if ( isset( $t_manage_arr[1] ) ) { + $f_sort = $t_manage_arr[1]; + } else { + $f_sort = 'username'; + } + + # Sort order + if ( isset( $t_manage_arr[2] ) ) { + $f_dir = $t_manage_arr[2]; + } else { + $f_dir = 'DESC'; + } + + # Show Disabled + if ( isset( $t_manage_arr[3] ) ) { + $f_show_disabled = $t_manage_arr[3]; + } + } else { + $f_sort = gpc_get_string( 'sort', 'username' ); + $f_dir = gpc_get_string( 'dir', 'ASC' ); + $f_hide_inactive = gpc_get_bool( 'hideinactive' ); + $f_show_disabled = gpc_get_bool( 'showdisabled' ); + } + # Clean up the form variables if ( !db_field_exists( $f_sort, $t_user_table ) ) { $c_sort = 'username'; @@ -65,30 +92,6 @@ if ( $f_save ) { $t_manage_string = $c_hide_inactive.':'.$c_sort.':'.$c_dir.':'.$c_show_disabled; gpc_set_cookie( $t_cookie_name, $t_manage_string, true ); - } else if ( !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) { - $t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) ); - - # Hide Inactive - $c_hide_inactive = $t_manage_arr[0]; - - # Sort field - if ( isset( $t_manage_arr[1] ) ) { - $c_sort = $t_manage_arr[1]; - } else { - $c_sort = 'username'; - } - - # Sort order - if ( isset( $t_manage_arr[2] ) ) { - $c_dir = $t_manage_arr[2]; - } else { - $c_dir = 'DESC'; - } - - # Show Disabled - if ( isset( $t_manage_arr[3] ) ) { - $c_show_disabled = $t_manage_arr[3]; - } } html_page_top( lang_get( 'manage_users_link' ) ); -- 1.9.1