SQL Injection Security Issue #322
Conversation
|
Your PR lacks a proof of concept.
Source: https://stackoverflow.com/questions/2018151/ip-address-sql-injection#answer-2018561 |
|
unfixed code is if ($_SERVER['HTTP_X_FORWARDED_FOR']) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
DBQuery("INSERT INTO hacking_log (HOST_NAME,IP_ADDRESS,LOGIN_DATE,VERSION,PHP_SELF,DOCUMENT_ROOT,SCRIPT_NAME,MODNAME,USERNAME)
values
('$_SERVER[SERVER_NAME]','$ip','" . date('Y-m-d') . "','$openSISVersion','$_SERVER[PHP_SELF]','$_SERVER[DOCUMENT_ROOT]','$_SERVER[SCRIPT_NAME]','$_REQUEST[modname]','" . User('USERNAME') . "')");@francoisjacquet so if HTTP_X_FORWARDED_FOR is defined(it can be simply defined in the HTTP header) in the $ip variable , the value given by the attacker will be assigned, not the REMOTE_ADDR. This will cause a sql injection vulnerability. POC is already in the profile on @d0ub1edd. I verified that it works in the latest version. https://github.com/d0ub1edd/CVE-Reference/blob/main/CVE-2024-46626.md |
|
@lodos2005 thanks, I just didn't expand the code up to the
|
This pull request addresses a critical SQL Injection vulnerability found of the application. The vulnerability allows any authenticated user to exploit the SQL query by injecting malicious SQL code, potentially leading to unauthorized data access or manipulation.
Impact: This vulnerability allows an attacker with any level of system access to execute arbitrary SQL queries. This can lead to data leakage, data corruption, or full database compromise.
Requirements for Exploitation: Attacker must be authenticated to the system but does not need elevated privileges.
Fix:
This PR is fixing the SQL Injection vulnerabilities.