Skip to content
Snippets Groups Projects
Select Git revision
  • develop default protected
  • develop-next
  • 1.14.x
  • 1.12.x
  • master
  • 1.10.x
  • 1.11.x
  • 1.9.x
  • revert-3168-issue/2910
  • 1.8.x
  • 1.8.0.x
  • v1.14.1
  • v1.12.5
  • v1.14
  • v1.12.4
  • v1.14-rc2
  • v1.12.3
  • v1.14.-rc1
  • v1.14-rc1
  • v1.12.2
  • v1.12.1
  • v1.10.7
  • v1.12
  • v1.10.6
  • v1.11
  • v1.10.5
  • v1.11.0-rc1
  • v1.10.4
  • v1.10.3
  • v1.10.2
  • v1.10.1
31 results
Blame Permalink
  • Peter Rotich's avatar
    1eaa6910
    CVE-2017-14396 · 1eaa6910
    Peter Rotich authored 
    This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.
    1eaa6910
    History
    CVE-2017-14396
    Peter Rotich authored 
    This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.
file.php 1.86 KiB 
<?php
/*********************************************************************
    file.php

    File download facilitator for clients

    Peter Rotich <peter@osticket.com>
    Jared Hancock <jared@osticket.com>
    Copyright (c)  2006-2014 osTicket
    http://www.osticket.com

    Released under the GNU General Public License WITHOUT ANY WARRANTY.
    See LICENSE.TXT for details.

    vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require('client.inc.php');
require_once(INCLUDE_DIR.'class.file.php');

//Basic checks
if (!$_GET['key']
    || !$_GET['signature']
    || !$_GET['expires']
    || !($file = AttachmentFile::lookupByHash($_GET['key']))
) {
    Http::response(404, __('Unknown or invalid file'));
}

// Enforce security settings
if ($cfg->isAuthRequiredForFiles() && !$thisclient) {
    if (!($U = StaffAuthenticationBackend::getUser())) {
        // Try and determine if a staff is viewing this page
        if (strpos($_SERVER['HTTP_REFERRER'], ROOT_PATH .  'scp/') !== false) {
            $_SESSION['_staff']['auth']['dest'] =
                '/' . ltrim($_SERVER['REQUEST_URI'], '/');
            Http::redirect(ROOT_PATH.'scp/login.php');
        }
        else {
            require 'secure.inc.php';
        }
    }
}

// Validate session access hash - we want to make sure the link is FRESH!
// and the user has access to the parent ticket!!
if ($file->verifySignature($_GET['signature'], $_GET['expires'])) {
    try {
        if (($s = @$_GET['s']) && strpos($file->getType(), 'image/') === 0)
            return $file->display($s);

        // Download the file..
        $file->download(@$_GET['disposition'] ?: false, $_GET['expires']);
    }
    catch (Exception $ex) {
        Http::response(500, 'Unable to find that file: '.$ex->getMessage());
    }
}
// else
Http::response(404, __('Unknown or invalid file'));