100 per cent of us die,and the percentage cannot be increased.
C.S. Lewis
<?php...snip...} elseif (isset($_POST['fetch'])){// ajax paginationif (function_exists('wp_timezone_override_offset'))wp_timezone_override_offset();$st = (int) $_POST['fetch'] - 1;if (!empty($_POST['title'])){$cond = "and m.title LIKE '%". mysql_real_escape_string($_POST['title']) . "%' "} else$cond = '';if ($_POST['preacher'] != 0){$cond .= 'and m.preacher_id = ' . (int) $_POST['preacher'] . ' '}if ($_POST['series'] != 0){$cond .= 'and m.series_id = ' . (int) $_POST['series'] . ' '}$m = $wpdb->get_results("SELECT SQL_CALC_FOUND_ROWS m.id,m.title,m.datetime,p.name as pname,s.name as sname,ss.name as ssnameFROM{$wpdb->prefix}sb_sermons as mLEFT JOIN{$wpdb->prefix}sb_preachers as p ON m.preacher_id = p.idLEFT JOIN{$wpdb->prefix}sb_services as s ON m.service_id = s.idLEFT JOIN{$wpdb->prefix}sb_series as ss ON m.series_id = ss.idWHERE 1=1{$cond}ORDER BY m.datetime desc,s.time desc LIMIT{$st},".sb_get_option('sermons_per_page'));$cnt = $wpdb->get_var("SELECT FOUND_ROWS()");?><?php foreach ($m as $sermon):?><tr class="<?php echo ++$i % 2 == 0 ? 'alternate':'' ?>"><th style="text-align:center"scope="row"><?php echo $sermon->id ?></th><td><?php echo stripslashes($sermon->title) ?></td><td><?php echo stripslashes($sermon->pname) ?></td><td><?php echo ($sermon->datetime == '1970-01-01 00:00:00') ? __('Unknown',$sermon_domain):strftime('%d %b %y',strtotime($sermon->datetime));?></td><td><?php echo stripslashes($sermon->sname) ?></td><td><?php echo stripslashes($sermon->ssname) ?></td><td><?php echo sb_sermon_stats($sermon->id) ?></td><td style="text-align:center"><a href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/new_sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Edit',$sermon_domain) ?></a>| <a onclick="return confirm('Are you sure?')"href="<?php echo $_SERVER['PHP_SELF']?>?page=sermon-browser/sermon.php&mid=<?php echo $sermon->id ?>"><?php _e('Delete',$sermon_domain) ?></a></td></tr><?php endforeach ?><script type="text/javascript"><?php if($cnt<sb_get_option('sermons_per_page') || $cnt <= $st+sb_get_option('sermons_per_page')):?>jQuery('#right').css('display','none');<?php elseif($cnt >$st+sb_get_option('sermons_per_page')):?>jQuery('#right').css('display','');<?php endif ?></script><?php} elseif (isset($_POST['fetchU']) || isset($_POST['fetchL']) || isset($_POST['search'])){// ajax pagination (uploads)if (isset($_POST['fetchU'])){$st = (int) $_POST['fetchU'] - 1;$abc = $wpdb->get_results("SELECT f.*,s.title FROM{$wpdb->prefix}sb_stuff AS f LEFT JOIN{$wpdb->prefix}sb_sermons AS s ON f.sermon_id = s.id WHERE f.sermon_id = 0 AND f.type = 'file' ORDER BY f.name LIMIT{$st},".sb_get_option('sermons_per_page'))} elseif (isset($_POST['fetchL'])){$st = (int) $_POST['fetchL'] - 1;$abc = $wpdb->get_results("SELECT f.*,s.title FROM{$wpdb->prefix}sb_stuff AS f LEFT JOIN{$wpdb->prefix}sb_sermons AS s ON f.sermon_id = s.id WHERE f.sermon_id <>0 AND f.type = 'file' ORDER BY f.name LIMIT{$st},".sb_get_option('sermons_per_page'))} else{$s = mysql_real_escape_string($_POST['search']);$abc = $wpdb->get_results("SELECT f.*,s.title FROM{$wpdb->prefix}sb_stuff AS f LEFT JOIN{$wpdb->prefix}sb_sermons AS s ON f.sermon_id = s.id WHERE f.name LIKE '%{$s}%' AND f.type = 'file' ORDER BY f.name;")}?><?php if (count($abc) >= 1):?><?php foreach ($abc as $file):?><tr class="file <?php echo (++$i % 2 == 0) ? 'alternate':'' ?>"id="<?php echo $_POST['fetchU'] ? '':'s' ?>file<?php echo $file->id ?>"><th style="text-align:center"scope="row"><?php echo $file->id ?></th><td id="<?php echo $_POST['fetchU'] ? '':'s' ?><?php echo $file->id ?>"><?php echo substr($file->name,0,strrpos($file->name,'.')) ?></td><td style="text-align:center"><?php echo isset($filetypes[substr($file->name,strrpos($file->name,'.') + 1)]['name']) ? $filetypes[substr($file->name,strrpos($file->name,'.') + 1)]['name']:strtoupper(substr($file->name,strrpos($file->name,'.') + 1)) ?></td><?php if (!isset($_POST['fetchU'])){?><td><?php echo stripslashes($file->title) ?></td><?php } ?><td style="text-align:center"><script type="text/javascript"language="javascript">function deletelinked_<?php echo $file->id;?>(filename,filesermon){if (confirm('Do you really want to delete '+filename+'?')){if (filesermon != ''){return confirm('This file is linked to the sermon called ['+filesermon+']. Are you sure you want to delete it?')}return true}return false}</script><?php if (isset($_POST['fetchU'])){?><a id=""href="<?php echo $_SERVER['PHP_SELF']."?page=sermon-browser/new_sermon.php&getid3={$file->id}";?>"><?php _e('Create sermon',$sermon_domain) ?></a>| <?php } ?><a id="link<?php echo $file->id ?>"href="javascript:rename(<?php echo $file->id ?>,'<?php echo $file->name ?>')"><?php _e('Rename',$sermon_domain) ?></a>| <a onclick="return deletelinked_<?php echo $file->id;?>('<?php echo str_replace("'",'',$file->name) ?>','<?php echo str_replace("'",'',$file->title) ?>');"href="javascript:kill(<?php echo $file->id ?>,'<?php echo $file->name ?>');"><?php _e('Delete',$sermon_domain) ?></a></td></tr><?php endforeach ?><?php else:?><tr><td><?php _e('No results',$sermon_domain) ?></td></tr><?php endif ?><?php}die();?>If you enjoyed this post,make sure you subscribe to my RSS feed!
I see two possible problems here:
1. XSS in $_SERVER['PHP_SELF'] as explained in
http://www.mc2design.com/blog/php_self-safe-alternatives
2. Possible SQL injection if the code can output and store different character sets (notably GBK simplified chinese). Don’t have all of the source code but there is a known problem with certain multi-byte character sets (GBK-simplified chinese for one) and mysql_real_escape_string().
According to http://bugs.mysql.com/bug.php?id=8378
==================================================
[9 Feb 2005 14:47] John Percival
I think that this is probably quite a major issue. Take for example,the following SQL
query:
SELECT * FROM user WHERE username = ‘¿\’OR userid = 1 —‘
That could easily be produced by:
$username=”¿’OR userid = 1 —“;
mysql_query(“SELECT * FROM USER WHERE username = _latin1′”.
mysql_real_escape_string($username) . “‘”);
What I’m saying is that this bug opens the door to SQL injection attacks,when running in
GBK and some other multi-byte charsets.
I have posted this comment in bugs #8317 and #8378 as I think that it’s pertinent to
both:mysql_real_escape_string() needs to throw an error if it can’t properly escape the
string in the current charset;the parser needs to be able to use the _latin1 introducer
to determine how it parses the following literal string.
==================================================
What it boils down to is that PHP is running under a character set which does not understand multibyte character sets or the version of PHP does not understand multibyte character sets. When mysql_real_escape_string() looks at the incoming string it see two characters (an unknown character and single quote). Because it sees single quote it replaces single quote with \’(backslash single quote). The problem occurs when the string is passed to the database and parsed using the character set of the database (in this case GBK). The the GBK character set the unknown character and backslash combine into a multibyte character and the single quote escaping (prepended backslash) is removed.
So an attacker supplies:
¿’OR userid = 1 —“;
and what is returned from mysql_real_escape_string():
¿\’OR userid = 1 —“;
When the SQL string is passed to the data base the query becomes:
(new single char which was a combination of ¿ and \)’OR userid = 1 —“;
This allows a single quote to be passed to the database unescaped.
[...] Percentage [...]