Not sure if $taboo was getting sanitized or not. Possibly an SQL injection vulnerability that allows maliciously crafted group names to inject SQL at a later date when the group CP is loaded. Unconfirmed, theoretical fix.
authorDan
Sat, 19 Jan 2008 00:47:52 -0500
changeset 447 a9a3789ce02d
parent 446 27f5ac58992c
child 448 f725a16e4a20
Not sure if $taboo was getting sanitized or not. Possibly an SQL injection vulnerability that allows maliciously crafted group names to inject SQL at a later date when the group CP is loaded. Unconfirmed, theoretical fix.
plugins/SpecialGroups.php
--- a/plugins/SpecialGroups.php	Fri Jan 18 10:35:33 2008 -0500
+++ b/plugins/SpecialGroups.php	Sat Jan 19 00:47:52 2008 -0500
@@ -502,7 +502,8 @@
       echo '<select name="group_id">';
       foreach ( $session->groups as $id => $group )
       {
-        $taboo[] = $group;
+        $taboo[] = $db->escape($group);
+        $group = htmlspecialchars($group);
         if ( $group != 'Everyone' )
         {
           echo '<option value="' . $id . '">' . $group . '</option>';