View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
04904 | Bug reports | Security | public | 2011-01-26 14:28 | 2011-04-13 23:59 |
Reporter | starmonkey | Assigned To | texens | ||
Priority | normal | Severity | partial_block | ||
Status | closed | Resolution | fixed | ||
Product Version | 1.91RC2 | ||||
Target Version | 1.91RC4 | Fixed in Version | 1.91RC4 | ||
Summary | 04904: SQL Injection possible in admin/browse.php | ||||
Description | Unless LS does global input filtering, admin/browse.php has a sql injection attack: $query .= " FROM $surveytable WHERE id={$_POST['downloadfile']}"; Means I can post a value of "x'; DROP TABLE blah; --" in $_POST['downloadfile'] and cause mayhem as an admin? I haven't tested it but I'm fairly sure that's so. This is just one case that I found while looking into the file_upload question types "download" functionality from the admin interface. I'm sure there may be many more, perhaps in the front-end where a malicious user can cause mayhem? | ||||
Additional Information | |||||
Tags | No tags attached. | ||||
Bug heat | 262 | ||||
Complete LimeSurvey version number (& build) | 9672 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | FF | ||||
Database type & version | MySQL5 | ||||
Server OS (if known) | Windows7 | ||||
Webserver software & version (if known) | Apache2 | ||||
PHP Version | PHP5 | ||||
This really seems to be an urgend issue. Amit, can you have a look at this ASAP? |
|
Fixed in r9744. |
|
I believe the error is still present in the code so changing status... |
|
Texens, did you commit to the wrong branch? If I remember correctly Carsten did some tests of such security issues a few months ago so please check your own code and every file you edited carefully. |
|
Mazi, Yes I had committed this bug to the dev branch. Have fixed this bug in the stable branch in r9784, but I'll keep this bug report open so that I don't forget to do a complete check on all the new files/modifications that I have introduced for FUQT. |
|
texens, I think there are some error in the fix for the dev branch, i can't browse Parse error: syntax error, unexpected $end in ./limesurvey-dev/admin/browse.php on line 1253 :) |
|
Did somebody already fix this issue? I'm unable to reproduce the aforementioned error. (I'm on rev 9804) |
|
Sorry texen, i fixed it shame on me :) And it's merge error. |
|
What's the status on this? Didn't you resolve it already? If yes, please set to resolved. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2011-01-26 14:28 | starmonkey | New Issue | |
2011-01-27 00:04 | c_schmitz | Assigned To | => texens |
2011-01-27 00:04 | c_schmitz | Status | new => assigned |
2011-01-31 16:29 | Mazi | Note Added: 14015 | |
2011-02-01 14:40 | DenisChenu | Issue Monitored: DenisChenu | |
2011-02-01 16:15 | mdekker | Target Version | => 1.91RC4 |
2011-02-06 13:59 | texens | Note Added: 14062 | |
2011-02-06 13:59 | texens | Status | assigned => resolved |
2011-02-06 13:59 | texens | Fixed in Version | => 1.91RC4 |
2011-02-06 13:59 | texens | Resolution | open => fixed |
2011-02-07 11:07 | mdekker | Note Added: 14074 | |
2011-02-07 11:07 | mdekker | Status | resolved => acknowledged |
2011-02-08 23:15 | Mazi | Note Added: 14093 | |
2011-02-12 10:43 | texens | Status | acknowledged => assigned |
2011-02-12 10:55 | texens | Note Added: 14176 | |
2011-02-16 00:10 | DenisChenu | Note Added: 14194 | |
2011-02-16 14:23 | texens | Note Added: 14200 | |
2011-02-16 16:24 | DenisChenu | Note Added: 14203 | |
2011-03-08 14:57 | c_schmitz | Note Added: 14336 | |
2011-03-15 18:54 | texens | Status | assigned => resolved |
2011-04-13 23:59 | c_schmitz | Status | resolved => closed |
2021-08-03 10:48 | guest | Bug heat | 260 => 262 |