Mon 19th Mar '07 2:26pm
|
|
Former vBulletin Developer
|
|
|
AdminCP Attachment SQL Injection
There is an SQL Injection within the attachment searching part of the Admin Control Panel.
This is considered a non major problem since it requires administrator privileges, for those wanting to patch the following unified diff is provided.
Code:
Index: /trunk/admincp/attachment.php
===================================================================
--- /trunk/admincp/attachment.php (revision 16424)
+++ /trunk/admincp/attachment.php (revision 16607)
@@ -646,4 +646,13 @@
}
+ $vbulletin->GPC['search']['downloadsmore'] = intval($vbulletin->GPC['search']['downloadsmore']);
+ $vbulletin->GPC['search']['downloadsless'] = intval($vbulletin->GPC['search']['downloadsless']);
+ $vbulletin->GPC['search']['sizemore'] = intval($vbulletin->GPC['search']['sizemore']);
+ $vbulletin->GPC['search']['sizeless'] = intval($vbulletin->GPC['search']['sizeless']);
+ $vbulletin->GPC['search']['visible'] = intval($vbulletin->GPC['search']['visible']);
+ $vbulletin->GPC['search']['orderby'] = in_array($vbulletin->GPC['search']['orderby'], array('user.username', 'counter', 'filename', 'filesize', 'post.dateline', 'attachment.visible')) ? $vbulletin->GPC['search']['orderby'] : 'filename';
+ $vbulletin->GPC['search']['ordering'] = in_array($vbulletin->GPC['search']['ordering'], array('ASC', 'DESC')) ? $vbulletin->GPC['search']['ordering'] : 'DESC';
+ $vbulletin->GPC['search']['results'] = intval($vbulletin->GPC['search']['results']);
+
// error prevention
if (!isset($vbulletin->GPC['search']['visible']) OR $vbulletin->GPC['search']['visible'] < -1 OR $vbulletin->GPC['search']['visible'] > 1)
@@ -715,13 +724,13 @@
if ($vbulletin->GPC['search']['datelinebefore'] AND $vbulletin->GPC['search']['datelineafter'])
{
- $query .= "AND (attachment.dateline BETWEEN UNIX_TIMESTAMP('" . $vbulletin->GPC['search']['datelineafter'] . "') AND UNIX_TIMESTAMP('" . $vbulletin->GPC['search']['datelinebefore'] . "')) ";
+ $query .= "AND (attachment.dateline BETWEEN UNIX_TIMESTAMP('" . $db->escape_string($vbulletin->GPC['search']['datelineafter']) . "') AND UNIX_TIMESTAMP('" . $db->escape_string($vbulletin->GPC['search']['datelinebefore']) . "')) ";
}
else if ($vbulletin->GPC['search']['datelinebefore'])
{
- $query .= "AND attachment.dateline < UNIX_TIMESTAMP('" . $vbulletin->GPC['search']['datelinebefore'] . "') ";
+ $query .= "AND attachment.dateline < UNIX_TIMESTAMP('" . $db->escape_string($vbulletin->GPC['search']['datelinebefore']) . "') ";
}
else if ($vbulletin->GPC['search']['datelineafter'])
{
- $query .= "AND attachment.dateline > UNIX_TIMESTAMP('" . $vbulletin->GPC['search']['datelineafter'] . "') ";
+ $query .= "AND attachment.dateline > UNIX_TIMESTAMP('" . $db->escape_string($vbulletin->GPC['search']['datelineafter']) . "') ";
}
|
Please Wait