[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAGt6WoqNdLWtn1Lu2950ZBmKxNa3gdBUea04pXo21FN8AZKBVQ@mail.gmail.com>
Date: Wed, 13 Mar 2019 11:18:18 +0200
From: Jaroslav Lobačevski <jarlob@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SQL injection in joshcam/mysqli-database-class library
https://packagist.org/packages/joshcam/mysqli-database-class aka
https://github.com/ThingEngineer/PHP-MySQLi-Database-Class v2.9.2 is
vulnerable to SQL injection in functon Where() because of special
"forkaround" at line 971
<https://github.com/ThingEngineer/PHP-MySQLi-Database-Class/blob/eaf1f6cc387c8464ea6a9221fb308669beed3a63/MysqliDb.php#L971>
If $whereValue happens to be an array, key value is used as $operator to
build query.
However typical usage of the class looks like:
$db->where('ID', $_POST['id']);
$name = $db->getValue('USERS', 'name');
The $whereValue is usually untrusted and if there are no additional checks
like is_numeric($_POST['id']) an attacker may inject his statements. For
example: id[= ? or 1=1 --]=0(Url encoded version for HTTP
POST: id%5B%3D%20%3F%20or%201%3D1%20--%5D=0)
Timeline:
08-03-2019 Sent and email to a.butenka at gmail.com
and josh.lee.campbell at gmail.com
13-03-2019 No response, created public GitHub issue
<https://github.com/ThingEngineer/PHP-MySQLi-Database-Class/issues/823>.
The maintainer replies "not a bug".
13-03-2019 Full disclosure list.
Regards,
Jaroslav Lobačevski
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists