View Issue Details

IDProjectCategoryView StatusLast Update
0001031Main CAcert WebsiteAudit issuespublic2018-11-18 13:46
ReporterclopezAssigned ToPatrick 
PriorityhighSeveritymajorReproducibilityalways
Status fix availableResolutionopen 
PlatformDefaultOSanyOS Versionany
Product Version 
Target VersionFixed in Version 
Summary0001031: Disable use of insecure function mysql_escape_string()
Descriptionmysql_escape_string() is insecure

 * http://security.stackexchange.com/questions/8028/does-mysql-escape-string-have-any-security-vulnerabilities-if-all-tables-using-l

And its used on core parts like password user logging:

$ grep -rl mysql_escape_string .
./includes/lib/general.php
./www/wot.php
./www/disputes.php
./www/verify.php
./www/alert_hash_collision.php
./www/index.php
./www/api/cemails.php
./www/api/edu.php
./pages/wot/12.php
./pages/wot/13.php
./pages/account/43.php
./pages/account/53.php
./pages/account/41.php
./pages/account/54.php
./pages/account/49.php
./tverify/index.php


Theoretically this can be exploited to perform a SQL Injection attack.


Please replace all mysql_escape_string() occurrences with the secure mysql_real_escape_string(

You can do this simply executing this command on the topdir:

grep -rl mysql_escape_string . | xargs sed -i "s/mysql_escape_string/mysql_real_escape_string/g"
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0001162 fix availableINOPIAE calcutate (the passwords) hash in php instead of in mysql -> \\ 
related to 0001260 needs workBenBE Make the source compatible with recent PHP versions 
related to 0001442 needs review & testingGuKKDevel Rewrite code to use ext/mysqli API (or PDO_MySQL) instead of ext/mysql 
related to 0000156 needs workbluec magic_quotes_gpc vs. mysql_escape_string() 

Activities

Patrick

2015-02-27 22:06

updater   ~0005336

I quickly wrote the fix.

https://github.com/DjBusti/cacert-devel/commit/c7ec6a2aa2edc6d59578d5adc685de01d4497461

Ted

2018-11-18 13:46

administrator   ~0005684

Note that 0001442 also replaces mysql_real_escape_string, by mysqli_real_escape_string.

So, once bug-1442 is installed this issue is obsolete.

Issue History

Date Modified Username Field Change
2012-04-09 03:12 clopez New Issue
2013-05-15 05:59 INOPIAE Relationship added related to 0001162
2013-11-12 21:25 INOPIAE Relationship added related to 0000156
2014-03-19 10:54 BenBE Relationship added related to 0001260
2015-02-27 22:04 Patrick Assigned To => Patrick
2015-02-27 22:06 Patrick Note Added: 0005336
2015-03-10 21:22 INOPIAE Status new => fix available
2018-11-18 13:45 Ted Relationship added related to 0001442
2018-11-18 13:46 Ted Note Added: 0005684