Package: acidbase Severity: critical Tags: security Justification: root security hole
The ImportHTTPVar() function (defined in acid_state_common.inc and include/base_state_common.inc) is defined as: function ImportHTTPVar($var_name, $valid_data = "", $exception = "") and calls CleanVariable($tmp, $valid_data, $exception), which should be used to clean up of invalid characters. However, that one is defined as: function CleanVariable($item, $valid_data, $exception = "") { return $item; (...) } So SQL injection (as well as XSS) are possible since: - calls to extract information from the HTTP request does not use ImportHTTPVar() with $valid_data set. - CleanVariable() does not check against $valid_data -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]