Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-44567: Fix #308 Unauthenticated SQL injection. Use sanitized `$_REQUEST` + Move... (e001430a) · Commits · François Jacquet / rosariosis

An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php.

CVE
Open in Source
#sql#xss#vulnerability#ios#git

Commit e001430a authored Jan 30, 2021 by François Jacquet's avatar

Browse files

Fix #308 Unauthenticated SQL injection. Use sanitized `$_REQUEST` + Move…

Fix #308 Unauthenticated SQL injection. Use sanitized `$_REQUEST` + Move Portal Poll vote code to modfunc

  • Changes 3

@@ -4,6 +4,8 @@

Changes in 7.6.1

----------------

- Fix #307 XSS update CodeIgniter Security class in classes/Security.php, thanks to @DustinBorn

- Move Portal Poll vote code to modfunc in PortalPollNotes.php & Portal.php

- Fix #308 Unauthenticated SQL injection. Use sanitized `$_REQUEST` in Portal.php, thanks to @DustinBorn

Changes in 7.6

--------------

@@ -2,8 +2,6 @@

/**

* Portal Polls and Portal Notes functions.

*

* @todo Format code!

*

* @package RosarioSIS

* @subpackage ProgramFunctions

*/

@@ -241,7 +239,7 @@ function PortalPollForm( $poll_id, $poll_questions_RET )

}

$poll_form .= ‘<form method="POST" id="formPortalPoll’ . $poll_id . '"

action="ProgramFunctions/PortalPollsNotes.fnc.php"

action="Modules.php?modname=misc/Portal.php&modfunc=poll_vote"

target="divPortalPoll’ . $poll_id . '">

<table class="width-100p widefat">’;

@@ -364,33 +362,6 @@ function PortalPollsVotesDisplay( $poll_id, $display_votes, $poll_questions_RET,

return $votes_display;

}

// AJAX vote call:

if ( isset( $_POST[‘votes’] )

&& is_array( $_POST[‘votes’] ) )

{

if ( empty( $_SERVER[‘HTTP_X_REQUESTED_WITH’] )

|| $_SERVER[‘HTTP_X_REQUESTED_WITH’] !== ‘XMLHttpRequest’ )

{

die( ‘Error: no AJAX’ );

}

chdir( ‘…/’ );

require_once 'Warehouse.php’;

foreach ( (array) $_POST[‘votes’] as $poll_id => $votes_array )

{

if ( ! empty( $votes_array ) )

{

echo PortalPollsVote( $poll_id, $votes_array );

break;

}

}

exit();

}

/**

* @param $value

* @param $name

@@ -19,6 +19,25 @@ if ( $_REQUEST[‘modfunc’] === ‘redirect_take_attendance’ )

_redirectTakeAttendance();

}

// AJAX poll vote call.

if ( $_REQUEST[‘modfunc’] === ‘poll_vote’

&& ! empty( $_POST[‘votes’] ) )

{

// Fix #308 Unauthenticated SQL injection. Use sanitized $_REQUEST.

foreach ( (array) $_REQUEST[‘votes’] as $poll_id => $votes_array )

{

if ( ! empty( $votes_array ) )

{

// Result is displayed inside "divPortalPoll[id]" target div.

echo PortalPollsVote( $poll_id, $votes_array );

// Do not go further.

exit();

}

}

}

DrawHeader( ProgramTitle() );

DrawHeader( ‘<span id="salute"></span>’ );

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE