SQL injections in PHP scripts

[cedlecomte]

From rgaco...@gmail.com on May 28, 2012 11:03:18

Hi,

I'm afraid there is several potential SQL injections in the PHP scripts provided with RTG2.
In 95.php, view.php and rtg.php, all values are retrieved from user submitted parameters then directly passed as-is to mysql_query (or potentially pg_query in rtg.php).

I know the best practice is to restrict access to the RTG interface to trusted users, but I think this needs to be fixed nevertheless. Given that there is not a lot of different requests, using prepared statements seems to be the easiest way to do it.

Please don't hesitate to contact me if you need more information or if you disagree with this report.

Regards,

Rémi Gacogne

Original issue: http://code.google.com/p/rtg2/issues/detail?id=35

[cedlecomte]

From rgaco...@gmail.com on July 08, 2012 14:20:10

Hi,

This has been assigned CVE-2012-3881 by MITRE.

Regards,

Rémi Gacogne

[bewing]

As a learning exercise, I'm rewriting the new targetmaker's view.php as a symfony bundle, whose DBAL should resolve any injection issues.

I think the higher arching question, however, is do we want to continue bundling the insecure scripts, or remove all the web functionality from the project, and rely on other packages to generate the rtgplot.cgi URLs and associated HTML/content output?

[lnxus]

@bewing - what other packages are available generate the HTML content? I've yet to see one that was not bundled.