Page 1 of 1

[Security issue] sql injection

Posted: 11 May 2009, 23:22
by louiz'
On the login page.
Try to log with something with a ' in it.
For example with « louiz' »

You will see a mysql error.
The $_POST['login'] and $_POST['password'] are not protected and can be used to do a mysql injection.

Please fix.

Re: [Security issue] sql injection

Posted: 12 May 2009, 00:34
by fox
First of all, all I see is the incorrect password error. Can you post a screenshot?

Second, login actually seems to not be escaped properly, nice catch. Fixed in trunk. Password is always reduced to a SHA1 hash, so no possible injection vector there.

Re: [Security issue] sql injection

Posted: 12 May 2009, 07:06
by louiz'
Here is a screenshot
http://louiz.org/mysql_error.png

login : louiz'
password : teub
(of course, I fixed this flaw on my server ;) And it's not my real password ;))

Re: [Security issue] sql injection

Posted: 12 May 2009, 10:08
by fox
What is weird is that I couldn't replicate it here. The bug was there, it just didn't show up for some reason.