[Security issue] sql injection

Development-related discussion, including bundled plugins
louiz'
Bear Rating Trainee
Bear Rating Trainee
Posts: 2
Joined: 11 May 2009, 23:19

[Security issue] sql injection

Postby louiz' » 11 May 2009, 23:22

On the login page.
Try to log with something with a ' in it.
For example with « louiz' »

You will see a mysql error.
The $_POST['login'] and $_POST['password'] are not protected and can be used to do a mysql injection.

Please fix.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: [Security issue] sql injection

Postby fox » 12 May 2009, 00:34

First of all, all I see is the incorrect password error. Can you post a screenshot?

Second, login actually seems to not be escaped properly, nice catch. Fixed in trunk. Password is always reduced to a SHA1 hash, so no possible injection vector there.

louiz'
Bear Rating Trainee
Bear Rating Trainee
Posts: 2
Joined: 11 May 2009, 23:19

Re: [Security issue] sql injection

Postby louiz' » 12 May 2009, 07:06

Here is a screenshot
http://louiz.org/mysql_error.png

login : louiz'
password : teub
(of course, I fixed this flaw on my server ;) And it's not my real password ;))

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: [Security issue] sql injection

Postby fox » 12 May 2009, 10:08

What is weird is that I couldn't replicate it here. The bug was there, it just didn't show up for some reason.


Return to “Development”

Who is online

Users browsing this forum: No registered users and 2 guests