#876 awredir.pl - sql injection and column mismatch

7.0
open
nobody
Other (206)
5
2012-10-11
2011-10-06
Petr Lautrbach
No

awredir.pl contains sql injection

reproducer:
set mysql database for TRACEBASE, $KEYFORMD5='5'; and try:
http://site/awstats/awredir.pl?key=cd4b03b7e0f455bce011b78cca2eecf9&url=%27%20and%20benchmark(1000000000,md5(now()))%20AND%20%27a%27%20=%20%27a

fix:
- my $sth = $dbh->prepare("UPDATE T_LINKS set HITS_LINKS = HIT_LINKS+1 where URL_LINKS = '$Url'");
- $sth->execute || error("Error: Unable execute query:$dbh->err, $dbh->errstr");
+ my $sth = $dbh->prepare("UPDATE T_LINKS set HITS_LINKS = HIT_LINKS+1 where URL_LINKS = ?");
+ $sth->execute($Url) || error("Error: Unable execute query:$dbh->err, $dbh->errstr");

There is also column name mismatch "... set HITS_LINKS = HIT_LINKS+1". Should this be HIT_LINKS or HITS_LINKS?

Discussion