Possible SQL injection
Bug #154876 reported by
JW
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Chameleon (inactive) |
Fix Released
|
Critical
|
JW |
Bug Description
The 'archive' action in BlogController executes the following Ruby code:
@total_entries = Entry.find(:all, :conditions => "state = 'P' and " +
"
:order => "date_published DESC")
In this function, the 'year' and 'month' paramaters are not escaped, so SQL code can be written inside them.
Changed in chameleon: | |
importance: | High → Critical |
To post a comment you must log in.
At this moment I'm not yet able to exploit this bug. The SQL created by this bug looks like this:
SELECT * FROM entries WHERE (state = 'P' and YEAR(date_ published) = 2007 and MONTH(date_ published) = 1) ORDER BY date_published DESC
where 2007 and 1 are replaced with the asked year and month.
A URL such as http:// 0.0.0.0: 3000/archive/ 2007/1); returns a MySQL error:
Mysql::Error: You have an error in your SQL syntax
The URLs 0.0.0.0: 3000/archive/ 2007/1); -- ( 0.0.0.0: 3000/archive/ 2007/1); DROP TABLE entries; -- ( 0.0.0.0: 3000/archive/ 2007/1); DELETE FROM users WHERE id = 1; -- (
http://
http://
and
http://
can, fortunately, not get executed; a MySQL error gets returned.