[VIM] FLIP SQL injection clarification
Steven M. Christey
coley at mitre.org
Sat Feb 3 16:42:52 EST 2007
Ref:
CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=481131&group_id=98260
Rough translation is "SQL Injection continues to decrease, through
escape_sqlData(), implode_sql(), implode_sqlIn() which all implode()s
in Queries replaces and all data escape."
Some sources are reporting these as the vulnerable functions, but
certainly the escape_sqlData name suggests some kind of quoting, so an
alternate intepretation is that the vendor is USING these functions as
protection schemes to protect against SQL injection in various other
functions.
A big diff between RC2 and RC3 highlights this...
diff -r flip-rc2/web/catering.php flip-rc3/web/catering.php
< $bids = "b.`id`='".implode("' OR b.`id`='", $post["ids"])."'";
< $ids = "`id`='".implode("' OR `id`='", $post["ids"])."'";
---
> $bids = "b.`id` IN (".implode_sqlIn($post["ids"]).")";
> $ids = "`id` IN (".implode_sqlIn($post["ids"]).")";
diff -r flip-rc2/web/core/core.mysql.php flip-rc3/web/core/core.mysql.php
< if(is_null($val)) $Values[$col] = "`$col` = NULL";
< else $Values[$col] = "`$col` = '".addslashes($val)."'";
---
> $Values[$col] = "`$col` = ".escape_sqlData($val);
... AND MANY OTHER FILES ... who knows which vectors are actually
vulnerable ...
And the finale:
diff -r flip-rc2/web/core/core.utils.php flip-rc3/web/core/core.utils.php
> /**
> * Setzt den String escaped in Hochkommata, falls er nicht numerisch ist
> *
> * @since 1345 - 24.01.2007
> * @param String $sqlvalue Dieser Text wird (sql-)gesichert
> * @return String
> */
> function escape_sqlData($sqlvalue) {
...
> function implode_sql($glue, $array) {
...
> function implode_sqlIn($array) {
So, obviously these functions couldn't be vulnerable if they didn't
exist in RC2.
- Steve
More information about the VIM
mailing list