Mercurial Mercurial > repos > enano-1.0 / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Not sure if $taboo was getting sanitized or not. Possibly an SQL injection vulnerability that allows maliciously crafted group names to inject SQL at a later date when the group CP is loaded. Unconfirmed, theoretical fix.
authorDan
Sat, 19 Jan 2008 00:47:52 -0500
changeset 273 a9a3789ce02d
parent 272 27f5ac58992c
child 274 f725a16e4a20
Not sure if $taboo was getting sanitized or not. Possibly an SQL injection vulnerability that allows maliciously crafted group names to inject SQL at a later date when the group CP is loaded. Unconfirmed, theoretical fix.
plugins/SpecialGroups.php file | annotate | diff | comparison | revisions 
--- a/plugins/SpecialGroups.php	Fri Jan 18 10:35:33 2008 -0500
+++ b/plugins/SpecialGroups.php	Sat Jan 19 00:47:52 2008 -0500
@@ -502,7 +502,8 @@
       echo '<select name="group_id">';
       foreach ( $session->groups as $id => $group )
       {
-        $taboo[] = $group;
+        $taboo[] = $db->escape($group);
+        $group = htmlspecialchars($group);
         if ( $group != 'Everyone' )
         {
           echo '<option value="' . $id . '">' . $group . '</option>';
Enano CMS (1.0.x)