From 59ebafdf81366b36da5deedde679dd61a84500e2 Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Tue, 28 Mar 2017 21:56:49 -0400 Subject: [PATCH] Fix some potention SQL injection vulns --- admin/admin_reply_ticket.php | 2 +- admin/admin_ticket.php | 10 +++++----- admin/assign_owner.php | 3 ++- verifyemail.php | 2 +- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/admin/admin_reply_ticket.php b/admin/admin_reply_ticket.php index 81e485f1..96ab9f9f 100644 --- a/admin/admin_reply_ticket.php +++ b/admin/admin_reply_ticket.php @@ -234,7 +234,7 @@ if ($ticket['locked']) { if ($ticket['status'] != $new_status) { // Does this status close the ticket? - $newStatusRs = hesk_dbQuery('SELECT `IsClosed`, `Key` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `ID` = ' . hesk_dbEscape($new_status)); + $newStatusRs = hesk_dbQuery('SELECT `IsClosed`, `Key` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `ID` = ' . intval($new_status)); $newStatus = hesk_dbFetchAssoc($newStatusRs); if ($newStatus['IsClosed'] && hesk_checkPermission('can_resolve', 0)) { diff --git a/admin/admin_ticket.php b/admin/admin_ticket.php index 55c3cd89..84e53d02 100644 --- a/admin/admin_ticket.php +++ b/admin/admin_ticket.php @@ -470,12 +470,12 @@ if (($can_reply || $can_edit) && isset($_POST['childTrackingId'])) { } //-- Check if the ticket is already a child. - $childRs = hesk_dbQuery('SELECT * FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` WHERE `parent` = ' . $ticket['id'] . ' AND `trackid` = \'' . $_POST['childTrackingId'] . '\''); + $childRs = hesk_dbQuery('SELECT * FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` WHERE `parent` = ' . intval($ticket['id']) . ' AND `trackid` = \'' . hesk_dbEscape(hesk_POST(['childTrackingId'])) . '\''); if (hesk_dbNumRows($childRs) > 0) { hesk_process_messages(sprintf($hesklang['is_already_linked'], $_POST['childTrackingId']), 'admin_ticket.php?track=' . $trackingID . '&Refresh=' . mt_rand(10000, 99999), 'NOTICE'); } - hesk_dbQuery('UPDATE `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` SET `parent` = ' . $ticket['id'] . ' WHERE `trackid` = \'' . $_POST['childTrackingId'] . '\''); + hesk_dbQuery('UPDATE `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` SET `parent` = ' . intval($ticket['id']) . ' WHERE `trackid` = \'' . hesk_dbEscape(hesk_POST['childTrackingId']) . '\''); hesk_process_messages(sprintf($hesklang['link_added'], $_POST['childTrackingId']), 'admin_ticket.php?track=' . $trackingID . '&Refresh=' . mt_rand(10000, 99999), 'SUCCESS'); } @@ -746,7 +746,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php'); if ($ticket['parent'] != null) { //-- Get the tracking ID of the parent $parentRs = hesk_dbQuery('SELECT `trackid` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` - WHERE `ID` = ' . hesk_dbEscape($ticket['parent'])); + WHERE `ID` = ' . intval($ticket['parent'])); $parent = hesk_dbFetchAssoc($parentRs); echo ' '; @@ -755,7 +755,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php'); //-- Check if any tickets have a parent set to this tracking ID $hasRows = false; $childrenRS = hesk_dbQuery('SELECT * FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` - WHERE `parent` = ' . hesk_dbEscape($ticket['id'])); + WHERE `parent` = ' . intval($ticket['id'])); while ($row = hesk_dbFetchAssoc($childrenRS)) { $hasRows = true; echo ' @@ -1281,7 +1281,7 @@ function hesk_getAdminButtons($category_id) } } - $isTicketClosedSql = 'SELECT `IsClosed`, `Closable` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `ID` = ' . $ticket['status']; + $isTicketClosedSql = 'SELECT `IsClosed`, `Closable` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `ID` = ' . intval($ticket['status']); $isTicketClosedRs = hesk_dbQuery($isTicketClosedSql); $isTicketClosedRow = hesk_dbFetchAssoc($isTicketClosedRs); $isTicketClosed = $isTicketClosedRow['IsClosed']; diff --git a/admin/assign_owner.php b/admin/assign_owner.php index 92d2f7c2..64a6426d 100755 --- a/admin/assign_owner.php +++ b/admin/assign_owner.php @@ -92,8 +92,9 @@ if (!$row['isadmin']) { // Make sure two people don't assign a ticket to a different user at the same time if ($ticket['owner'] && $ticket['owner'] != $owner && hesk_REQUEST('unassigned') && hesk_GET('confirm') != 'Y') { $new_owner = ($owner == $_SESSION['id']) ? $hesklang['scoy'] : sprintf($hesklang['scot'], $row['name']); + $originalOwner = intval($ticket['owner']); - $res = hesk_dbQuery("SELECT `name` FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."users` WHERE `id`='{$ticket['owner']}' LIMIT 1"); + $res = hesk_dbQuery("SELECT `name` FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."users` WHERE `id`='{$originalOwner}' LIMIT 1"); if (hesk_dbNumRows($res) == 1) { $row = hesk_dbFetchAssoc($res); diff --git a/verifyemail.php b/verifyemail.php index 72150119..245d108f 100644 --- a/verifyemail.php +++ b/verifyemail.php @@ -48,7 +48,7 @@ require_once(HESK_PATH . 'inc/header.inc.php'); // Need to notify staff? // --> From autoassign? - $getOwnerRs = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE ID = " . hesk_dbEscape($ticket['owner'])); + $getOwnerRs = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE ID = " . intval($ticket['owner'])); $autoassign_owner = hesk_dbFetchAssoc($getOwnerRs); if ($ticket['owner'] && $autoassign_owner['notify_assigned']) { hesk_notifyAssignedStaff($autoassign_owner, 'ticket_assigned_to_you', $modsForHesk_settings);