| Filename | ISPConfig 3.0.5. 6 SQL injection Vulnerability |
| Permission | rw-r--r-- |
| Author | Unknown |
| Date and Time | 8:15 AM |
| Label | |
| Action |
In file interface/lib/classes/listform.inc.php on line 155:
$_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field];
and below on line 184:
$sql_where .= " $field ".$i['op']." '".$i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix']."' and";
without input sanitization may causes function getSearchSQL() returning injected sql WHERE substring!
I put simple workaround under line 155:
if(preg_match("/['\\\\]/", $_SESSION['search'][$list_name][$search_prefix.$field]))
$_SESSION['search'][$list_name][$search_prefix.$field] = '';
$_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field];
and below on line 184:
$sql_where .= " $field ".$i['op']." '".$i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix']."' and";
without input sanitization may causes function getSearchSQL() returning injected sql WHERE substring!
I put simple workaround under line 155:
if(preg_match("/['\\\\]/", $_SESSION['search'][$list_name][$search_prefix.$field]))
$_SESSION['search'][$list_name][$search_prefix.$field] = '';
0 comments:
Post a Comment