Bug#336719: Can you reproduce this on 4.5.3-4?
* Hilko Bengen: db_query uses sprintf to replace placeholder expressions if passed more than one argument and it seems to me that using %s does the same thing as PHP's string expansion as in 4.5.3. What about SQL injection? Doesn't db_query protect against it, while PHP's string expansion doesn't? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
Florian Weimer [EMAIL PROTECTED] writes: db_query uses sprintf to replace placeholder expressions if passed more than one argument and it seems to me that using %s does the same thing as PHP's string expansion as in 4.5.3. What about SQL injection? Doesn't db_query protect against it, while PHP's string expansion doesn't? At second glance, it does seem like it: db_query performs quoting on those arguments which are then added via snprintf(). Do you have any idea how the $key parameter to sess_destroy (includes/session.inc) is generated? Cheers, -Hilko who is once again shocked how little he knows about PHP's internal magic -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
* Hilko Bengen: Do you have any idea how the $key parameter to sess_destroy (includes/session.inc) is generated? It seems as if drupal uses the value generated by PHP, which would mean that it's not exploitable for SQL injection, but I'm not sure. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
Yeah. Looks like this bug is not in 4.5.3-4. I did not test it, but looking at the source it does not look like this version would be effected by this problem. Hilko Bengen wrote: notfound 336719 4.5.3-4 thank you Matthew A. Nicholson [EMAIL PROTECTED] writes: I don't use 4.5.3, I use 4.5.5. I can download 4.5.3 and compare the source changes, but I don't use it and it's not an option for me to test with it. Give me a few hours and i'll get back to you. :) 4.5.3-4 is the current version in stable and that has a higher priority for me right now than the version in testing/unstable. This change got introduced to session.inc after 4.5.3: function sess_destroy($key) { - db_query(DELETE FROM {sessions} WHERE sid = '$key'); + db_query(DELETE FROM {sessions} WHERE sid = '%d', $key); } ... and this is the last change that supposedly fixes the logout problem. function sess_destroy($key) { - db_query(DELETE FROM {sessions} WHERE sid = '%d', $key); + db_query(DELETE FROM {sessions} WHERE sid = '%s', $key); } db_query uses sprintf to replace placeholder expressions if passed more than one argument and it seems to me that using %s does the same thing as PHP's string expansion as in 4.5.3. I have removed version 4.5.3-4 from this bug. If you disagree, feel free to add it again with a found statement to [EMAIL PROTECTED], with a rationale. Cheers, -Hilko -- Matthew A. Nicholson Matt-Land.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
notfound 336719 4.5.3-4 thank you Matthew A. Nicholson [EMAIL PROTECTED] writes: I don't use 4.5.3, I use 4.5.5. I can download 4.5.3 and compare the source changes, but I don't use it and it's not an option for me to test with it. Give me a few hours and i'll get back to you. :) 4.5.3-4 is the current version in stable and that has a higher priority for me right now than the version in testing/unstable. This change got introduced to session.inc after 4.5.3: function sess_destroy($key) { - db_query(DELETE FROM {sessions} WHERE sid = '$key'); + db_query(DELETE FROM {sessions} WHERE sid = '%d', $key); } ... and this is the last change that supposedly fixes the logout problem. function sess_destroy($key) { - db_query(DELETE FROM {sessions} WHERE sid = '%d', $key); + db_query(DELETE FROM {sessions} WHERE sid = '%s', $key); } db_query uses sprintf to replace placeholder expressions if passed more than one argument and it seems to me that using %s does the same thing as PHP's string expansion as in 4.5.3. I have removed version 4.5.3-4 from this bug. If you disagree, feel free to add it again with a found statement to [EMAIL PROTECTED], with a rationale. Cheers, -Hilko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
I don't use 4.5.3, I use 4.5.5. I can download 4.5.3 and compare the source changes, but I don't use it and it's not an option for me to test with it. Give me a few hours and i'll get back to you. :) Hilko Bengen wrote: The current version in sarge (w/ security updates) is 4.5.3-4 and from looking at upstream's CVS tree, it appears to me as if the bug leading to the security vulnerability was introduced _after_ 4.5.3. Can you confirm that this bug exists in 4.5.3-4? Moreover, merging the PostgreSQL-related issues with this security bug does _not_ seem to be a good idea to me. Cheers, -Hilko, reading up on BTS documentation -- Matthew A. Nicholson Digium -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336719: Can you reproduce this on 4.5.3-4?
The current version in sarge (w/ security updates) is 4.5.3-4 and from looking at upstream's CVS tree, it appears to me as if the bug leading to the security vulnerability was introduced _after_ 4.5.3. Can you confirm that this bug exists in 4.5.3-4? Moreover, merging the PostgreSQL-related issues with this security bug does _not_ seem to be a good idea to me. Cheers, -Hilko, reading up on BTS documentation -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]