From f3965b7fb6912c75d55a0a007b1e4256e5f7f12e Mon Sep 17 00:00:00 2001 From: David Cook Date: Mon, 13 Jul 2015 14:06:46 +1000 Subject: [PATCH] Bug 14521 - SQL injection in local use system preferences This patch fixes a SQL injection vulnerability in the local use system preferences. _TEST PLAN_ Before applying: 1) Go to Global System Preferences 2) Click on the "Local use" tab 3) Add a new preference with the value "') or '1' = '1' -- " (be sure to include the space at the end after the comment --). 4) When the page refreshes, you should now see about 99 other system preferences which shouldn't be showing up. 5) Apply the patch 6) Refresh the page 7) Note that you now only see a system preference for "') or '1' = '1' -- " and the other actual local use system preferences. Signed-off-by: Chris Cormack Signed-off-by: Jonathan Druart Signed-off-by: Mason James --- admin/systempreferences.pl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/admin/systempreferences.pl b/admin/systempreferences.pl index d41f2a7a67..a7ed1635c8 100755 --- a/admin/systempreferences.pl +++ b/admin/systempreferences.pl @@ -70,14 +70,16 @@ sub StringSearch { my $strsth = "Select variable,value,explanation,type,options from systempreferences where variable in ("; my $first = 1; + my @sql_bind; for my $name ( get_local_prefs() ) { $strsth .= ',' unless $first; - $strsth .= "'$name'"; + $strsth .= "?"; + push(@sql_bind,$name); $first = 0; } $strsth .= ") order by variable"; $sth = $dbh->prepare($strsth); - $sth->execute(); + $sth->execute(@sql_bind); while ( my $data = $sth->fetchrow_hashref ) { unless (defined $data->{value}) { $data->{value} = "";} -- 2.39.5