SECURITY: freetags SQL problem

Found a bug? Tell us!!
Post Reply
rupa
Posts: 2
Joined: Fri Feb 01, 2008 6:46 pm

SECURITY: freetags SQL problem

Post by rupa »

While looking at my postgresql logs, I found the following:

Code: Select all

2009-02-01 21:55:49 CST ERROR:  syntax error at or near "s" at character 329
2009-02-01 21:55:49 CST STATEMENT:  SELECT DISTINCT e1.entryid,
                             e2.title,
                             e2.timestamp
                        FROM serendipity_entrytags AS e1
                   LEFT JOIN serendipity_entries   AS e2
                          ON e1.entryid = e2.id
                       WHERE e1.tag IN ('Dallas', 'ISKCON', 'New Year's Eve')
                         AND e1.entryid != 351
                         AND e2.isdraft = 'false'
                              AND e2.timestamp <= 1233546949
                    ORDER BY  e2.timestamp DESC
                       LIMIT 5
The freetags plugin (awesome plugin btw) has a error where it doesn't properly escape the tags before feeding the sql. It would be fairly trivial to compose a 'tag' that would do SQL injection.
Rupa Schomaker
Top
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:
Contact garvinhicking

Re: SECURITY: freetags SQL problem

Post by garvinhicking »

Hi!

Thanks for reporting this, I've just fixed it in version 3.03 of the plugin. This is not a totally serious matter though, as the SQL input only comes frmo what you added as the tags; it cannot be injected by a user itself.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Top
Post Reply

Return to “Bugs”