Fork me on GitHub
Subscribe 2

Ticket #72 (fixed bug)

Insufficient input validation in admin_users.php

  • Created: 2010-07-11 08:28:06
  • Reported by: Visman
  • Assigned to: Reines
  • Milestone: 1.4.1
  • Component: code
  • Priority: normal

FIND: !@preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $ip)
REPLACE WITH: !@preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $ip)

For an example: admin_users.php?show_users=1.1.1.1kkkkkkk

History

Franz 2010-07-11 12:26:11

Are you saying this is a vulnerability or just unsufficient input validation? After all, the value is escaped in the query, so there is no security problem...

Visman 2010-07-11 13:13:56

Unsufficient input validation.

In $result = $db->query('SELECT DISTINCT poster_id, poster FROM '.$db->prefix.'posts WHERE poster_ip=\''.$db->escape($ip).'\'')
be available $db->escape($ip)

P.S. At first has solved that it is vulnerability.

Reines 2010-07-21 10:31:30

  • Milestone set to 1.4.1.

I don't see where the vulnerability is here?

The regex does indeed allow more than it should, however as you saw the $ip is escaped before being used, so doesn't result in a vulnerability?

Reines 2010-07-21 10:55:46

  • Visibility set to public.
  • Status changed from open to fixed.

I've fixed the regex here, though I'm still convinced this isn't actually a vulnerability.

Will push the fix later today when I have some time. Thanks for the report.

Franz 2010-07-21 22:11:57

  • Summary changed from admin_users.php to Insufficient input validation in admin_users.php.

Franz 2010-07-24 11:40:57

  • Owner set to Reines.