From 46c0767c5262746b930aeb4f0f30f86bbf5496a6 Mon Sep 17 00:00:00 2001 From: niekt0 Date: Thu, 4 Nov 2010 01:49:44 +0100 Subject: [PATCH] fixing several SQL injections --- doc/TODO | 2 +- wwwroot/inc/eventz/K.inc | 5 ++ wwwroot/inc/eventz/configure.inc | 14 ++--- .../inc/eventz/configure_external_access.inc | 51 ++++++++++--------- .../inc/eventz/configure_system_access.inc | 4 +- wwwroot/inc/eventz/delete_mail.inc | 7 ++- wwwroot/inc/eventz/login.inc | 5 +- wwwroot/inc/eventz/set_bookmark_category.inc | 12 ++++- 8 files changed, 63 insertions(+), 37 deletions(-) diff --git a/doc/TODO b/doc/TODO index 447c9c5..9ad9663 100644 --- a/doc/TODO +++ b/doc/TODO @@ -6,7 +6,7 @@ - FIX function.get_image_link.php: ("GET /id/select%20user_id%20from%20users%20where%20user_id%20=%20332%3CBR%3E0.19035/images/nodes///.gif ) wtf? -- fix ALL sql injections +- SQL injections (many fixed, but some should be still there) - remove absolute paths from all source files (!) (over 50) diff --git a/wwwroot/inc/eventz/K.inc b/wwwroot/inc/eventz/K.inc index 05485e4..b954bc4 100644 --- a/wwwroot/inc/eventz/K.inc +++ b/wwwroot/inc/eventz/K.inc @@ -70,6 +70,11 @@ function K() { foreach ($k as $id) { + // prevent sqli + $k = intval($k); + if ($k == 0) { continue; } + + if ($user_k) { $isSenat = hasAncestor(getAncestors($id), $senat_id); if ($isSenat && !($isComm || $isSOwner)){ diff --git a/wwwroot/inc/eventz/configure.inc b/wwwroot/inc/eventz/configure.inc index 7959a0e..756abc2 100644 --- a/wwwroot/inc/eventz/configure.inc +++ b/wwwroot/inc/eventz/configure.inc @@ -29,7 +29,7 @@ } else { - $node_creator=$_POST['node_creator']; + $node_creator=intval($_POST['node_creator']); $q="select user_id from users where login like '$node_creator'"; $ownerset=$db->query($q); if (!$ownerset->getNumRows()) { @@ -42,11 +42,11 @@ } } - $node_vector=$_POST['node_vector']; + $node_vector=mysql_real_escape_string($_POST['node_vector']); $old_vector=$node['node_vector']; if (is_numeric($_POST['template_id'])) $template_id=$_POST['template_id']; - $node_parent=$_POST['node_parent']; - $node_created=$_POST['node_created']; + $node_parent=intval($_POST['node_parent']); + $node_created=mysql_real_escape_string($_POST['node_created']); $node_id=$node['node_id']; @@ -64,10 +64,10 @@ $node_vector=$parent_node['node_vector'].";".$parent_node['node_id'];; } - $node_name=$_POST['node_name']; + $node_name=mysql_real_escape_string($_POST['node_name']); - $node_external_access=$_POST['node_external_access']; - $node_system_access=$_POST['node_system_access']; + $node_external_access=mysql_real_escape_string($_POST['node_external_access']); + $node_system_access=mysql_real_escape_string($_POST['node_system_access']); require(INCLUDE_DIR.'htmlparse.inc'); global $htmlparse; diff --git a/wwwroot/inc/eventz/configure_external_access.inc b/wwwroot/inc/eventz/configure_external_access.inc index 742431d..6614ea4 100644 --- a/wwwroot/inc/eventz/configure_external_access.inc +++ b/wwwroot/inc/eventz/configure_external_access.inc @@ -1,30 +1,33 @@ query($q); - } + if (($node['node_permission']=='owner') || ($node['node_permission']=='master')) { + + if ($_POST['node_external_access'] =='yes')) + { $node_external_access = 'yes'; } + else + { $node_external_access = 'no'; } - else { - $q="update nodes set node_external_access='$node_external_access' where node_id='$node_id'"; - $db->query($q); + if ($_POST['apply_on_vector']) { + $vector=$node['node_vector']; + if (empty($vector)) { + $error=$error_messages['INCORRECT_VECTOR']; + return false; } - }else{ - $error=$error_messages['EVENT_PERMISSION_ERROR']; - return false; + $q="update nodes set node_external_access='$node_external_access' where node_vector like '$vector%' and node_creator='$user_id'"; + $db->query($q); + } + + else { + $q="update nodes set node_external_access='$node_external_access' where node_id='$node_id'"; + $db->query($q); } + }else{ + $error=$error_messages['EVENT_PERMISSION_ERROR']; + return false; } -?> \ No newline at end of file +} +?> diff --git a/wwwroot/inc/eventz/configure_system_access.inc b/wwwroot/inc/eventz/configure_system_access.inc index ccfd1ad..014dff2 100644 --- a/wwwroot/inc/eventz/configure_system_access.inc +++ b/wwwroot/inc/eventz/configure_system_access.inc @@ -3,9 +3,9 @@ global $db,$error,$node; $node_id=$node['node_id']; $user_id=$_SESSION['user_id']; + $node_system_access=mysql_real_escape_string($_POST['node_system_access']); if (($node['node_permission']=='owner') || ($node['node_permission']=='master')) { - $node_system_access=$_POST['node_system_access']; if ($_POST['apply_on_vector']) { $vector=$node['node_vector']; @@ -24,4 +24,4 @@ } return true; } -?> \ No newline at end of file +?> diff --git a/wwwroot/inc/eventz/delete_mail.inc b/wwwroot/inc/eventz/delete_mail.inc index f77910f..9cd462d 100644 --- a/wwwroot/inc/eventz/delete_mail.inc +++ b/wwwroot/inc/eventz/delete_mail.inc @@ -3,6 +3,11 @@ function delete_mail() { global $node,$db,$error; $user_id = $_SESSION['user_id']; foreach ($_POST['message'] as $chosen =>$value) { + + $mail_id = intval($mail_id); + if ($mail_id == 0) + continue; + $set = $db->query("select mail_read,mail_to from mail where mail_id = '$chosen' and mail_from = '$user_id'"); $set->next(); if ($set->getString('mail_read') == 'no') { @@ -12,4 +17,4 @@ function delete_mail() { $db->query("delete from mail where mail_id = '$chosen' and mail_user = '$user_id'"); } } -?> \ No newline at end of file +?> diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc index ef4800a..94f7f4c 100644 --- a/wwwroot/inc/eventz/login.inc +++ b/wwwroot/inc/eventz/login.inc @@ -7,7 +7,7 @@ function login() { global $db,$error,$node_id; $login = mysql_real_escape_string($_POST['login']); - $password = $_POST['password']; //XXX nice SQLi + $password = $_POST['password']; // Not SQLi but be carefull $hash = md5($password); $login_type = $_POST['login_type']; $referer = $_SERVER['HTTP_REFERER']; @@ -26,6 +26,9 @@ function login() { $user_name = $set->getString('login'); break; case "id": + // HA! if it is number, escape_string is not enough + $login=intval($login); + $q="select * from users where user_id='$login' and password='$hash'"; $set=$db->query($q); $set->next(); diff --git a/wwwroot/inc/eventz/set_bookmark_category.inc b/wwwroot/inc/eventz/set_bookmark_category.inc index 159a085..26bb1ea 100644 --- a/wwwroot/inc/eventz/set_bookmark_category.inc +++ b/wwwroot/inc/eventz/set_bookmark_category.inc @@ -4,7 +4,12 @@ function set_bookmark_category() { global $node,$db,$error; $bookmarks=$_POST['bookmarks_chosen']; - $category_id=$_POST['bookmark_category_id']; + + if (isset($_POST['bookmark_category_id']) && + is_numeric($_POST['bookmark_category_id'])) { + $category_id=$_POST['bookmark_category_id']; + } + $new_parent=nodes::getNodeById($category_id,$_SESSION['user_id']); $new_parent_permissions=permissions::checkPermissions($new_parent); @@ -20,6 +25,11 @@ function set_bookmark_category() { foreach ($bookmarks as $chosen_id) { unset($chosen); + if (!is_numeric($chosen_id)) + { + $error=$error_messages['What a strange number..']; + return false; + } $db->query("start transaction"); -- 2.30.2