Summary:ASTERISK-07382: [patch] Possible SQL injection in addons/res_config_mysql.c
Reporter:Thomas Equeter (waba)Labels:
Date Opened:2006-07-21 14:31:08Date Closed:2006-07-23 03:59:07
Versions:Frequency of
Environment:Attachments:( 0) res_config_mysql.c.patch
Description:The MySQL RealTime driver for the configuration engine doesn't escape the value arguments before including them in the query. Admittedly, the phone user has less control over these values than, say, a web user. However, it suffices that the PBX admin uses the caller ID in a realtime call to let nasty things happen.

This patch escapes the value arguments before sending them to the SQL server (single query, multiquery and update). I initially attempted to use prepared statements like in the UnixODBC driver, but the related MySQL API is really too complex for this simple task. The result looked more like a hack than clean code. While at it, I also fixed a couple of harmless compiler warnings.

It might be worth mentioning in the security doc that letting the users control the "colmatch" (that is, column name) is asking for trouble (as this one is not escaped, in any driver). I see no reason why one would use the caller ID or any other user-supplied textual data there, but who knows? The other way around is to allow only alphanumerics in this field, but it disables "smart" undocumented things like CONCAT(firstname,lastname). Unlikely to be used either, though.

I had a look at the other *sql*.c files (asterisk and addons), they all seem fine (calls to escape functions, prepared statements, or similar).


Disclaimer on file: technically no, but I just faxed it.
Comments:By: Tilghman Lesher (tilghman) 2006-07-23 03:59:07

Fixed in 1.2; merged to trunk.