h0ng10 / yubico-yubiserve

Automatically exported from code.google.com/p/yubico-yubiserve
GNU General Public License v3.0
0 stars 0 forks source link

SQL injection vulnerability #38

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
There is a SQL injection vulnerability in the OATH part. The publicID parameter 
is under direct control of the attacker, and given directly to validateOATH 
method without any kind of filtering.

Parameterized statement is the proper way to fix this SQL injection. This idea 
has already been suggested 
(https://code.google.com/p/yubico-yubiserve/issues/detail?id=31) but was 
rejected. Indeed, the patch is not compatible with SQLite and MySQL because the 
paramstyle is different on each supported databases (SQLite, SQLite3 and MySQL).

This patch filters each field of the query string, and should fix this 
vulnerability.

Original issue reported on code.google.com by oss-...@quarkslab.com on 9 Jul 2015 at 7:28

Attachments: