[prev in list] [next in list] [prev in thread] [next in thread]
List: sr-dev
Subject: [OpenSER-Devel] [ openser-Bugs-1802421 ] SQL injection in AVP Module
From: noreply () sourceforge ! net (SourceForge ! net)
Date: 2007-09-26 8:52:54
Message-ID: E1IaQtc-0007Zb-Ft () sc8-sf-web21 ! sourceforge ! net
[Download RAW message or body]
Bugs item #1802421, was opened at 2007-09-26 04:14
Message generated for change (Comment added) made by henningw
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1802421&group_id=139143
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver 1.2.x
> Status: Pending
Resolution: None
> Priority: 3
Private: No
Submitted By: Aron Rosenberg (amr42)
> Assigned to: Henning Westerholt (henningw)
Summary: SQL injection in AVP Module
Initial Comment:
The AVPOPS module function avp_db_query is susceptable to SQL injection attacks \
because any AVP's used within the query string are not escaped properly.
The UNIXODBC module has an existing sql escape function which could be used in this \
case and it also has a module paramater to force escaping of paramaters used in \
queries.
A simple script example of the problem is this:
avp_printf ("$avp(to_displayname)" ,"Mc'Dowell");
avp_db_query ("select * from table where a='$tn' and b=1")
On MySQL backend this will result in a SQL error on the query, but if the avp var \
used comes from the wire a SQL injection is possible.
----------------------------------------------------------------------
> Comment By: Henning Westerholt (henningw)
Date: 2007-09-26 07:01
Message:
Logged In: YES
user_id=337916
Originator: NO
I've add a note about this behaviour to the function in the trunk and 1.2
branch.
It is possible, make it sense to escape all pv automatically in
avp_db_query?
Henning
----------------------------------------------------------------------
Comment By: Klaus Darilion (klaus_darilion)
Date: 2007-09-26 06:14
Message:
Logged In: YES
user_id=1318360
Originator: NO
This is a known limitation of the RAW queries. You have to escape the
parameters manually:
http://www.openser.org/dokuwiki/doku.php/transformations:1.2.x#s.escape.common
Probably we should add this to the avpops README.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1802421&group_id=139143
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic