[OpenSER-Devel] [ openser-Bugs-1802421 ] SQL injection in AVP Module
SourceForge.net
noreply at sourceforge.net
Thu Oct 11 04:20:06 CEST 2007
Bugs item #1802421, was opened at 2007-09-25 21:14
Message generated for change (Comment added) made by sf-robot
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1802421&group_id=139143
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver 1.2.x
>Status: Closed
Resolution: None
Priority: 3
Private: No
Submitted By: Aron Rosenberg (amr42)
Assigned to: Henning Westerholt (henningw)
Summary: SQL injection in AVP Module
Initial Comment:
The AVPOPS module function avp_db_query is susceptable to SQL injection attacks because any AVP's used within the query string are not escaped properly.
The UNIXODBC module has an existing sql escape function which could be used in this case and it also has a module paramater to force escaping of paramaters used in queries.
A simple script example of the problem is this:
avp_printf ("$avp(to_displayname)" ,"Mc'Dowell");
avp_db_query ("select * from table where a='$tn' and b=1")
On MySQL backend this will result in a SQL error on the query, but if the avp var used comes from the wire a SQL injection is possible.
----------------------------------------------------------------------
>Comment By: SourceForge Robot (sf-robot)
Date: 2007-10-10 19:20
Message:
Logged In: YES
user_id=1312539
Originator: NO
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).
----------------------------------------------------------------------
Comment By: Henning Westerholt (henningw)
Date: 2007-09-26 00:01
Message:
Logged In: YES
user_id=337916
Originator: NO
I've add a note about this behaviour to the function in the trunk and 1.2
branch.
It is possible, make it sense to escape all pv automatically in
avp_db_query?
Henning
----------------------------------------------------------------------
Comment By: Klaus Darilion (klaus_darilion)
Date: 2007-09-25 23:14
Message:
Logged In: YES
user_id=1318360
Originator: NO
This is a known limitation of the RAW queries. You have to escape the
parameters manually:
http://www.openser.org/dokuwiki/doku.php/transformations:1.2.x#s.escape.common
Probably we should add this to the avpops README.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1802421&group_id=139143
More information about the Devel
mailing list