Serendipity Forums

User and developer community
https://board.s9y.org/

SECURITY: freetags SQL problem

https://board.s9y.org/viewtopic.php?t=14681

Page 1 of 1

SECURITY: freetags SQL problem

Posted: Mon Feb 02, 2009 5:11 am
by rupa
While looking at my postgresql logs, I found the following:

Code: Select all

2009-02-01 21:55:49 CST ERROR:  syntax error at or near "s" at character 329
2009-02-01 21:55:49 CST STATEMENT:  SELECT DISTINCT e1.entryid,
                             e2.title,
                             e2.timestamp
                        FROM serendipity_entrytags AS e1
                   LEFT JOIN serendipity_entries   AS e2
                          ON e1.entryid = e2.id
                       WHERE e1.tag IN ('Dallas', 'ISKCON', 'New Year's Eve')
                         AND e1.entryid != 351
                         AND e2.isdraft = 'false'
                              AND e2.timestamp <= 1233546949
                    ORDER BY  e2.timestamp DESC
                       LIMIT 5
The freetags plugin (awesome plugin btw) has a error where it doesn't properly escape the tags before feeding the sql. It would be fairly trivial to compose a 'tag' that would do SQL injection.

Re: SECURITY: freetags SQL problem

Posted: Mon Feb 02, 2009 10:21 am
by garvinhicking
Hi!

Thanks for reporting this, I've just fixed it in version 3.03 of the plugin. This is not a totally serious matter though, as the SQL input only comes frmo what you added as the tags; it cannot be injected by a user itself.

Regards,
Garvin
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited