Closed lkew closed 11 months ago
Hello,
The SQL query just need to be escape. It is not an SQL injection. however it needs to be fixed. Could you please details how to reproduce the issue? I could not find any similar SQL query in the code. https://github.com/xbgmsharp/piwigo-openstreetmap/blob/master/admin/admin_tag.php
Code like
if ( $sync_options['cat_id']!=0 )
{
$query=' SELECT id FROM '.CATEGORIES_TABLE.' WHERE ';
if ( $sync_options['subcats_included'])
$query .= 'uppercats REGEXP \'(^|,)'.$sync_options['cat_id'].'(,|$)\'';
else
$query .= 'id='.$sync_options['cat_id'];
$cat_ids = array_from_query($query, 'id');
$query='SELECT `id`, `name`, `latitude`, `longitude` FROM '.IMAGES_TABLE.' INNER JOIN '.IMAGE_CATEGORY_TABLE.' ON id=image_id
WHERE '. SQL_EXIF .' AND category_id IN ('.implode(',', $cat_ids).')
GROUP BY id';
}
else
{
$query='SELECT `id`, `name`, `latitude`, `longitude` FROM '.IMAGES_TABLE.' WHERE '. SQL_EXIF;
}
is a prime example for potential SQL injection. Did you never hear about Prepared Statements?
Feel free to provide a PR to fix it.
This is still an issue with the current version. Here's how to reproduce:
Here's a fix for the issue:
--- a/admin/include/functions.php 2023-09-30 12:03:25.072790400 +0200
+++ b/admin/include/functions.php 2023-09-30 21:08:06.881713481 +0200
@@ -1720,7 +1720,7 @@
$query = '
SELECT id
FROM '.TAGS_TABLE.'
- WHERE name = \''.$tag_name.'\'
+ WHERE name = \''.pwg_db_real_escape_string($tag_name).'\'
;';
if (count($existing_tags = query2array($query, null, 'id')) == 0)
{
Thanks. Could you make this a PR?
Also is admin/include/functions.php
part of the plugin or Piwigo?
It's part of piwigo, not the plugin. I will open a PR over there.
The problem can be fixed in piwigo-openstreetmap, see #237.
Hello, In the tag section, it's not escaping quotes; making it vulnerable to SQL injection: https:///admin.php?page=plugin§ion=piwigo-openstreetmap%2Fadmin%2Fadmin.php&tab=tag
Result:
I think I could fix it; but it would probably break all coding rules of both the plugin and Piwigo; so I thought I'd rather report it. If you need anything additional, please let me know.
Thanks, Tristan