Ticket #2122 (closed patch: fixed)

Opened 12 months ago

Last modified 12 months ago

Bug in PageComments class (Security)

Reported by: simon_w Owned by: aoneil
Priority: blocker Milestone:
Component: Sapphire Framework Version:
Severity: medium effort / impact Keywords:
Cc: Hours:

Description

In PageComment?.php, it is possible to run a SQL injection by calling the rss() method with a malicious pageid.

This patch simply casts $_REQUESTpageid? to an int before adding it to the query.

Attachments

PageComment.php.diif (0.6 kB) - added by simon_w 12 months ago.

Change History

Changed 12 months ago by simon_w

Changed 12 months ago by mpeel

  • owner changed from aoneil to sminnee
  • priority changed from medium to blocker
  • component changed from CMS - General to Sapphire Framework
  • summary changed from SQL Injection via pageid to Bug in PageComments class (Security)

Changed 12 months ago by mpeel

  • owner changed from sminnee to aoneil

wtf, I didn't change the owner. Trac fail.

Changed 12 months ago by aoneil

  • status changed from new to closed
  • resolution set to fixed

Applied, r47937. Thanks simon!

Note: See TracTickets for help on using tickets.