After updating the application from 3.6.14 to 3.6.16 I noticed errors in the web interface like shown below.
I don't know the exact reason why they appeared, but something is more important.
Tracking down the problem leads me to *PageCache() family of functions, which composing sql-queries with code like sprintf("%s"). It's very insecure and error-prone way to do this, allowing potential substitution of arbitrary sql-code by remote user.
Sql_Query(sprintf('delete from %s where url = "%s"', $GLOBALS['tables']['urlcache'], $url));
For example. if i pass to this code$url with something like "; DROP TABLE phplist_listuser; -- it will also nuke your subscriptions list table.
And no, url_escape() and similar functions is not an option, it still can be fooled.
So, please rewrite this and similar code pieces with prepared sql statements
|
function setPageCache($url, $lastmodified, $content) |
After updating the application from 3.6.14 to 3.6.16 I noticed errors in the web interface like shown below.
I don't know the exact reason why they appeared, but something is more important.
Tracking down the problem leads me to *PageCache() family of functions, which composing sql-queries with code like sprintf("%s"). It's very insecure and error-prone way to do this, allowing potential substitution of arbitrary sql-code by remote user.
For example. if i pass to this code
$urlwith something like"; DROP TABLE phplist_listuser; --it will also nuke your subscriptions list table.And no, url_escape() and similar functions is not an option, it still can be fooled.
So, please rewrite this and similar code pieces with prepared sql statements
phplist3/public_html/lists/admin/lib.php
Line 1032 in 998fde4