FS#2221 : SQL Injection Vulnerability

Status Closed
Percent Complete
100%

Task Type Bug Report
Category Backend / Core
Assigned To Till (Till)
Operating System All
Severity Critical
Priority Normal
Reported Version 3.0.4.4
Due in Version 3.0.4.5
Due Date Undecided

Votes
1
- R00T_ATI (r00t.ati) (2012-05-11)
Private No

Attached to Project: ISPConfig 3
Opened by bandie92 (bandie91) - 2012-05-11
Last edited by Till (Till) - 2012-05-11

FS#2221 - SQL Injection Vulnerability

In file interface/lib/classes/listform.inc.php on line 155:

$_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field];

and below on line 184:

$sql_where .= " $field ".$i['op']." '".$i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix']."' and";

without input sanitization may causes function getSearchSQL() returning injected sql WHERE substring!

I put simple workaround under line 155:

if(preg_match("/['\\\\]/", $_SESSION['search'][$list_name][$search_prefix.$field]))
$_SESSION['search'][$list_name][$search_prefix.$field] = '';

This task does not depend on any other tasks.

Closed by Till (Till)
Friday, 11 May 2012, 10:07 GMT
Reason for closing: Fixed

Comments (2)
Related Tasks (0/0)

R00T_ATI (r00t.ati)
Friday, 11 May 2012, 09:44 GMT

Can't find that string on installed ISPConfig3.
Could you please provide an example URL where we can inject SQL?

Thanks

Till (Till)
Friday, 11 May 2012, 10:06 GMT

This can affect only logged in users, so it can not be abused without a valid login. Thefix is already available in SVN:

svn://svn.ispconfig.org/ispconfig3/branches/ispconfig-3.0.4

to install it run:

cd /tmp
svn export svn://svn.ispconfig.org/ispconfig3/branches/ispconfig-3.0.4
cd ispconfig-3.0.4/install
php update.php

We will release a update as tar.gz today after we had tested the patch.

	Tasks related to this task (0)

ISPConfig 3

FS#2221 - SQL Injection Vulnerability

This task does not depend on any other tasks.

Loading...