'[OpenSER-Devel] [ openser-Bugs-1802421 ] SQL injection in AVP Module'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sr-dev
Subject:    [OpenSER-Devel] [ openser-Bugs-1802421 ] SQL injection in AVP Module
From:       noreply () sourceforge ! net (SourceForge ! net)
Date:       2007-09-26 8:52:54
Message-ID: E1IaQtc-0007Zb-Ft () sc8-sf-web21 ! sourceforge ! net
[Download RAW message or body]

Bugs item #1802421, was opened at 2007-09-26 04:14
Message generated for change (Comment added) made by henningw
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1802421&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver 1.2.x
> Status: Pending
Resolution: None
> Priority: 3
Private: No
Submitted By: Aron Rosenberg (amr42)
> Assigned to: Henning Westerholt (henningw)
Summary: SQL injection in AVP Module

Initial Comment:
The AVPOPS module function avp_db_query is susceptable to SQL injection attacks \
because any AVP's used within the query string are not escaped properly.

The UNIXODBC module has an existing sql escape function which could be used in this \
case and it also has a module paramater to force escaping of paramaters used in \
queries.

A simple script example of the problem is this:
avp_printf ("$avp(to_displayname)"  ,"Mc'Dowell");
avp_db_query ("select * from table where a='$tn' and b=1")

On MySQL backend this will result in a SQL error on the query, but if the avp var \
used comes from the wire a SQL injection is possible.

----------------------------------------------------------------------

> Comment By: Henning Westerholt (henningw)
Date: 2007-09-26 07:01

Message:
Logged In: YES 
user_id=337916
Originator: NO

I've add a note about this behaviour to the function in the trunk and 1.2
branch.

It is possible, make it sense to escape all pv automatically in
avp_db_query? 

Henning

----------------------------------------------------------------------

Comment By: Klaus Darilion (klaus_darilion)
Date: 2007-09-26 06:14

Message:
Logged In: YES 
user_id=1318360
Originator: NO

This is a known limitation of the RAW queries. You have to escape the
parameters manually:
http://www.openser.org/dokuwiki/doku.php/transformations:1.2.x#s.escape.common

Probably we should add this to the avpops README.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1802421&group_id=139143


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic