On Wed, 2005-10-26 at 19:36 -0400, Kevin Johnson wrote:
> Someone has reported a sql injection problem with base_qry_main.php. He
> filed a bug report this morning but I have not yet heard from him. In
> various other places it appears that he published more details around
> the problem. The issue I have is that I can not reproduce his report.
> BASE has a number of problems with data validation that we have
> inherited from ACID. We try to acknowledge this in the README, but we
> do need to do what we can to fix them. 2.x will be written to protect
> against this but 1.x should be fixed. Hopefully, Remco will respond to
> my requests for more information and we can either fix it or mitigate
> the issue.
We have gotten more information on the bug and I believe that the code I
just checked into CVS fixes the problem without breaking anything else.
(I hope<grin>) If everyone can either check out the code or apply the
change I will describe below to their current install and run through
some tests, we can make sure that nothing else is broken by this change.
I would like to get this fix out as soon as possible, so please let me
know the results of your individual tests.
The change I did was to add the line:
$sql =3D eregi_replace(";", " [Possible SQL Injection Attack] ", $s=
This becomes line 202 in includes/base_db.inc.php. What this does is
replace any semicolons with the " [Possible SQL Injection Attack] "
which will break any sql injection. If you have the SQL trace turned on
in your base_conf.php, you will be able to see the message in the log.
I do not see any where in the code where we execute multiple SQL queries
which is when the semicolon is required, so this should not break
Thanks everyone for their testing,
BASE Project Lead
The next step in IDS analysis!