CAcert Code Development list.

[Michael Tänzer <michael.taenzer AT cacert.org>]

-------- Original Message --------
Subject: Patch Request Bug #1266
Date: Tue, 15 Apr 2014 23:26:32 +0200
From: Benny Baumann 
<benbe AT cacert.org>
To: 
critical-admin AT cacert.org
 
<critical-admin AT cacert.org>
CC: Jörg Thalheim 
<joerg AT higgsboson.tk>,
  Michael Tänzer
<michael.taenzer AT cacert.org>,
  Marcus Mängel 
<inopiae AT cacert.org>,
Martin Gummi 
<martin.gummi AT cacert.org>,
 Eva Stöwe 
<estoewe AT cacert.org>

Hi folks,

we have a fix for https://bugs.cacert.org/view.php?id=1266
"Second-order SQL injection in Certificate-related queries"

The bug was reported by J. Thalheim. The patch was reviewed by me
(BenBE) and Michael Tänzer (NEOatNHNG). The fix was tested by Marcus
Mängel (INOPIAE), Martin Gummi (magu) and Eva Stöwe (katzazi).

Please install the attached patch. Re-running the language scripts is
not necessary as only SQL queries are being fixed.

Once the patch is installed update the bugtracker accordingly and
forward the necessary messages to the public mailing lists.

Kind regards,
Benny Baumann
CAcert SoftWare Assessment Team




diff --git a/includes/account.php b/includes/account.php
index 497bf58..09c123b 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -886,16 +886,16 @@ function buildSubjectFromSession() {
 
 				mysql_query("update `domaincerts` set `renewed`='1' where `id`='$id'");
 				$query = "insert into `domaincerts` set
-						`domid`='".$row['domid']."',
+						`domid`='".intval($row['domid'])."',
 						`CN`='".mysql_real_escape_string($row['CN'])."',
 						`subject`='".mysql_real_escape_string($row['subject'])."',".
 						//`csr_name`='".$row['csr_name']."', // RACE CONDITION
-						"`created`='".$row['created']."',
+						"`created`='".mysql_real_escape_string($row['created'])."',
 						`modified`=NOW(),
-						`rootcert`='".$row['rootcert']."',
-						`type`='".$row['type']."',
-						`pkhash`='".$row['pkhash']."',
-						`description`='".$row['description']."'";
+						`rootcert`='".intval($row['rootcert'])."',
+						`type`='".intval($row['type'])."',
+						`pkhash`='".mysql_real_escape_string($row['pkhash'])."',
+						`description`='".mysql_real_escape_string($row['description'])."'";
 				mysql_query($query);
 				$newid = mysql_insert_id();
 				$newfile=generatecertpath("csr","server",$newid);
@@ -1063,17 +1063,17 @@ function buildSubjectFromSession() {
 
 				mysql_query("update `emailcerts` set `renewed`='1' where `id`='$id'");
 				$query = "insert into emailcerts set
-						`memid`='".$row['memid']."',
+						`memid`='".intval($row['memid'])."',
 						`CN`='".mysql_real_escape_string($row['CN'])."',
 						`subject`='".mysql_real_escape_string($row['subject'])."',
-						`keytype`='".$row['keytype']."',
-						`csr_name`='".$row['csr_name']."',
-						`created`='".$row['created']."',
+						`keytype`='".mysql_real_escape_string($row['keytype'])."',
+						`csr_name`='".mysql_real_escape_string($row['csr_name'])."',
+						`created`='".mysql_real_escape_string($row['created'])."',
 						`modified`=NOW(),
-						`disablelogin`='".$row['disablelogin']."',
-						`codesign`='".$row['codesign']."',
-						`rootcert`='".$row['rootcert']."',
-						`description`='".$row['description']."'";
+						`disablelogin`='".intval($row['disablelogin'])."',
+						`codesign`='".intval($row['codesign'])."',
+						`rootcert`='".intval($row['rootcert'])."',
+						`description`='".mysql_real_escape_string($row['description'])."'";
 				mysql_query($query);
 				$newid = mysql_insert_id();
 				$newfile=generatecertpath("csr","client",$newid);
@@ -1699,17 +1699,17 @@ function buildSubjectFromSession() {
 					continue;
 				}
 				$query = "insert into `orgemailcerts` set
-						`orgid`='".$row['orgid']."',
-						`CN`='".$row['CN']."',
-						`ou`='".$row['ou']."',
-						`subject`='".$row['subject']."',
-						`keytype`='".$row['keytype']."',
-						`csr_name`='".$row['csr_name']."',
-						`created`='".$row['created']."',
+						`orgid`='".intval($row['orgid'])."',
+						`CN`='".mysql_real_escape_string($row['CN'])."',
+						`ou`='".mysql_real_escape_string($row['ou'])."',
+						`subject`='".mysql_real_escape_string($row['subject'])."',
+						`keytype`='".mysql_real_escape_string($row['keytype'])."',
+						`csr_name`='".mysql_real_escape_string($row['csr_name'])."',
+						`created`='".mysql_real_escape_string($row['created'])."',
 						`modified`=NOW(),
-						`codesign`='".$row['codesign']."',
-						`rootcert`='".$row['rootcert']."',
-						`description`='".$row['description']."'";
+						`codesign`='".intval($row['codesign'])."',
+						`rootcert`='".intval($row['rootcert'])."',
+						`description`='".mysql_real_escape_string($row['description'])."'";
 				mysql_query($query);
 				$newid = mysql_insert_id();
 				$newfile=generatecertpath("csr","orgclient",$newid);
@@ -2053,15 +2053,15 @@ function buildSubjectFromSession() {
 					continue;
 				}
 				$query = "insert into `orgdomaincerts` set
-						`orgid`='".$row['orgid']."',
-						`CN`='".$row['CN']."',
-						`csr_name`='".$row['csr_name']."',
-						`created`='".$row['created']."',
+						`orgid`='".intval($row['orgid'])."',
+						`CN`='".mysql_real_escape_string($row['CN'])."',
+						`csr_name`='".mysql_real_escape_string($row['csr_name'])."',
+						`created`='".mysql_real_escape_string($row['created'])."',
 						`modified`=NOW(),
-						`subject`='".$row['subject']."',
-						`type`='".$row['type']."',
-						`rootcert`='".$row['rootcert']."',
-						`description`='".$row['description']."'";
+						`subject`='".mysql_real_escape_string($row['subject'])."',
+						`type`='".intval($row['type'])."',
+						`rootcert`='".intval($row['rootcert'])."',
+						`description`='".mysql_real_escape_string($row['description'])."'";
 				mysql_query($query);
 				$newid = mysql_insert_id();
 				//echo "NewID: $newid<br/>\n";

Attachment: signature.asc
Description: OpenPGP digital signature