overflow in su.c

[GoogleCodeExporter]

su.c has a trivially exploitable bug on lines 65-66:

char update[1024];
sprintf(update, "update whitelist set count=%d where _id='%s';", count,
argv[0]);

An attacker controls the size and values representing in argv[0]. When
argv[0] is greater than 1024, this will cause an overflow condition. This
might allow an attacker to execute arbitrary code.

This kind of stuff is all over su.c and is basically a nightmare.

Original issue reported on code.google.com by ioer...@gmail.com on 26 May 2010 at 3:57

[GoogleCodeExporter]

This is also a possibly SQL injection issue.

Original comment by ioer...@gmail.com on 26 May 2010 at 5:20