SQL Injection in acct_mgr.api.AccountManager.lastseen()
|Reported by:||Steffen Hoffmann||Owned by:||Steffen Hoffmann|
|Severity:||minor||Keywords:||sql injection security|
|Cc:||Ryan J Ollos, Michael Renzmann||Trac Release:||0.11|
In the dawn of 2012-04-25 this claim was brought privately to my attention by Timo "bluec0re" Schmid. The following is a rough translation of the German original email message:
The AccountManagerPlugin for Trac includes an SQL injection vulnerability in the user admin page, more specifically in
ap.py:last_seen. There the username is directly included into the SQL statement.
This vulnerability is hard to exploit, because
- ) one doesn't get feedback about the query result
- ) one needs access to the useradmin section as a prerequisite
- ) one is unable to execute multiple statements at a time. (something like
';INSERT INTO permissions values ('bluec0re', 'TRAC_ADMIN')--` is impossible)
Nevertheless at that place parameter binding should be used as well:
277 277 WHERE authenticated=1 278 278 """ 279 279 if user: 280 sql = "%s AND sid='%s'" % (sql, user) 281 cursor.execute(sql) 280 sql += " AND sid=?" 281 cursor.execute(sql, (user,)) 282 else: 283 cursor.execute(sql) 282 284 # Don't pass over the cursor (outside of scope), only it's content. 283 285 res =  284 286 for row in cursor:
I replicate this information for reference, because I adhere to a strict don't-hide-security-problems policy. IMHO this is the only responsible way to go for a component like AccountManager.