[security] potential SQL injection in monitor_service

[ryzom-pipeline]

Original report by gasche (Bitbucket: gasche, GitHub: gasche).

---

The code of server/src/service_main.cpp, function clientAuthentification, seems highly likely to be amenable to a SQL injection that could compromise the database it has access to.

#!c++

void clientAuthentication(CMessage &msgin, TSockId from, CCallbackNetBase &netbase)
{
    std::string login;
    std::string password;
    sint version = msgin.serialVersion(0);
    msgin.serial(login);
[...]
    std::string queryStr = toString("SELECT Password FROM user where Login='%s'", login.c_str());
    int result = mysql_query(DatabaseConnection, queryStr.c_str());

I am not familiar with the codebase, so it is possible that the values flowing to this part of the code have already been sanitized in a previous transformation pass. It looks however like the login string is decoded raw from a network message, without any sanitization.

I apologize for reporting a possibly delicate security issue on a public bugtracker. On the other hand, I looked on the website and found no other way to report issues. If you wish to provide a path to security issue disclosure, having some information on your website on how to report them would be a good first step. Besides, I have written to support@ryzom.com in the past (about a different issue) and got no response or acknowledgment of any kind.

[ryzom-pipeline]

Original comment by Cédric Ochs (Bitbucket: [Cédric OCHS](https://bitbucket.org/Cédric OCHS), ).

---

Thanks for the report, I'll check that :)

[ryzom-pipeline]

Original comment by Cédric Ochs (Bitbucket: [Cédric OCHS](https://bitbucket.org/Cédric OCHS), ).

---

Fixed: Possible SQL injection, fixes #297