Thomas Goirand <tho...@goirand.fr> writes: > On 08/13/2011 12:27 AM, Ansgar Burchardt wrote: >> * No parameter binding: all SQL queries are build using string >> manipulation; most parameters come directly from $_REQUEST, escaping >> (via mysql_real_escape_string) is only done in some places. > > No, you are totally discarding > /usr/share/dtc/shared/drawlib/templates.php. Escaping with > mysql_real_escape_string isn't needed when there's enough input > checking.
If you assume you never do mistakes, then yes, that is enough. You can add that to the list: * Code assumes there are no bugs, breaks horribly if there is one. >> * No scheme used to make sure only sanitized variables are ever used. >> Together with the first point this makes SQL injections very likely. > > There is. Each input is checked against a regular expression. How is this enforced? As long as you access $_REQUEST directly, you cannot know that this variable has been checked. > See how > things are built in each forms in /usr/share/dtc/shared/inc/forms, using > the dtcListItemsEdit() function, which is object-like manipulation. The > issue is that in some few places, it's not using that, and that's what > has been caught for the list.php since this code hasn't been re-factored. "some few places" seems to mean quite a lot of places. >>> #611680 isn't relevant and has no impact, as written on the BTS. >> >> It has some impact as it makes the code more brittle: when a small >> breach is found, it is easy to escalate it higher. > > Fixing it wouldn't change the issue. If you have access to the central > MySQL database, it's basically finished anyway, since you have > credentials to access remote dom0. If you have suggestions on how to > solve that, let me know, but I don't think there is a solution. Having a single invalid value in the database does usually not imply full access to the database. >>> #566654 I believe, isn't more dangerous than the /etc/mysql/debian.cnf. >>> So unless /etc/mysql/debian.cnf is removed from Debian, fixing #566654 >>> is useless, IMHO. >> >> dtc is accessible remotely, the system account for mysql should only be >> accessible locally. This means read access to files (or backups) gives >> remote access; to make use of the mysql system account, you would >> already need to have some kind of local access. > > No, there's phpmyadmin anyway. If it is installed. dtc does not depend on it. Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org