Bug#336719: Can you reproduce this on 4.5.3-4?
* Hilko Bengen: db_query uses sprintf to replace placeholder expressions if passed more than one argument and it seems to me that using %s does the same thing as PHP's string expansion as in 4.5.3. What about SQL injection? Doesn't db_query protect against it, while PHP's string expansion doesn't? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
Florian Weimer [EMAIL PROTECTED] writes: db_query uses sprintf to replace placeholder expressions if passed more than one argument and it seems to me that using %s does the same thing as PHP's string expansion as in 4.5.3. What about SQL injection? Doesn't db_query protect against it, while PHP's string expansion doesn't? At second glance, it does seem like it: db_query performs quoting on those arguments which are then added via snprintf(). Do you have any idea how the $key parameter to sess_destroy (includes/session.inc) is generated? Cheers, -Hilko who is once again shocked how little he knows about PHP's internal magic -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
* Hilko Bengen: Do you have any idea how the $key parameter to sess_destroy (includes/session.inc) is generated? It seems as if drupal uses the value generated by PHP, which would mean that it's not exploitable for SQL injection, but I'm not sure. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
Yeah. Looks like this bug is not in 4.5.3-4. I did not test it, but
looking at the source it does not look like this version would be
effected by this problem.
Hilko Bengen wrote:
notfound 336719 4.5.3-4
thank you
Matthew A. Nicholson [EMAIL PROTECTED] writes:
I don't use 4.5.3, I use 4.5.5. I can download 4.5.3 and compare the
source changes, but I don't use it and it's not an option for me to test
with it. Give me a few hours and i'll get back to you. :)
4.5.3-4 is the current version in stable and that has a higher
priority for me right now than the version in testing/unstable.
This change got introduced to session.inc after 4.5.3:
function sess_destroy($key) {
- db_query(DELETE FROM {sessions} WHERE sid = '$key');
+ db_query(DELETE FROM {sessions} WHERE sid = '%d', $key);
}
... and this is the last change that supposedly fixes the logout
problem.
function sess_destroy($key) {
- db_query(DELETE FROM {sessions} WHERE sid = '%d', $key);
+ db_query(DELETE FROM {sessions} WHERE sid = '%s', $key);
}
db_query uses sprintf to replace placeholder expressions if passed
more than one argument and it seems to me that using %s does the same
thing as PHP's string expansion as in 4.5.3.
I have removed version 4.5.3-4 from this bug. If you disagree, feel
free to add it again with a found statement to [EMAIL PROTECTED], with a
rationale.
Cheers,
-Hilko
--
Matthew A. Nicholson
Matt-Land.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
notfound 336719 4.5.3-4
thank you
Matthew A. Nicholson [EMAIL PROTECTED] writes:
I don't use 4.5.3, I use 4.5.5. I can download 4.5.3 and compare the
source changes, but I don't use it and it's not an option for me to test
with it. Give me a few hours and i'll get back to you. :)
4.5.3-4 is the current version in stable and that has a higher
priority for me right now than the version in testing/unstable.
This change got introduced to session.inc after 4.5.3:
function sess_destroy($key) {
- db_query(DELETE FROM {sessions} WHERE sid = '$key');
+ db_query(DELETE FROM {sessions} WHERE sid = '%d', $key);
}
... and this is the last change that supposedly fixes the logout
problem.
function sess_destroy($key) {
- db_query(DELETE FROM {sessions} WHERE sid = '%d', $key);
+ db_query(DELETE FROM {sessions} WHERE sid = '%s', $key);
}
db_query uses sprintf to replace placeholder expressions if passed
more than one argument and it seems to me that using %s does the same
thing as PHP's string expansion as in 4.5.3.
I have removed version 4.5.3-4 from this bug. If you disagree, feel
free to add it again with a found statement to [EMAIL PROTECTED], with a
rationale.
Cheers,
-Hilko
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
I don't use 4.5.3, I use 4.5.5. I can download 4.5.3 and compare the source changes, but I don't use it and it's not an option for me to test with it. Give me a few hours and i'll get back to you. :) Hilko Bengen wrote: The current version in sarge (w/ security updates) is 4.5.3-4 and from looking at upstream's CVS tree, it appears to me as if the bug leading to the security vulnerability was introduced _after_ 4.5.3. Can you confirm that this bug exists in 4.5.3-4? Moreover, merging the PostgreSQL-related issues with this security bug does _not_ seem to be a good idea to me. Cheers, -Hilko, reading up on BTS documentation -- Matthew A. Nicholson Digium -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
The current version in sarge (w/ security updates) is 4.5.3-4 and from looking at upstream's CVS tree, it appears to me as if the bug leading to the security vulnerability was introduced _after_ 4.5.3. Can you confirm that this bug exists in 4.5.3-4? Moreover, merging the PostgreSQL-related issues with this security bug does _not_ seem to be a good idea to me. Cheers, -Hilko, reading up on BTS documentation -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
