mirror of https://github.com/MISP/MISP
fixed huge SQL injection vulnerability created in bruteforce protection.
Shame on me !!!pull/61/head
parent
9cd1b0469d
commit
0687d3f6f4
|
@ -1,5 +1,7 @@
|
|||
<?php
|
||||
App::uses('AppModel', 'Model');
|
||||
App::uses('Sanitize', 'Utility');
|
||||
|
||||
/**
|
||||
* Bruteforce Model
|
||||
*
|
||||
|
@ -8,10 +10,10 @@ class Bruteforce extends AppModel {
|
|||
|
||||
|
||||
function insert($ip, $username) {
|
||||
// $this->data['Bruteforce']['ip'] = $ip;
|
||||
// $this->data['Bruteforce']['username'] = $username;
|
||||
$expire = Configure::read('SecureAuth.expire');
|
||||
|
||||
// sanitize fields
|
||||
$ip = Sanitize::clean($ip);
|
||||
$username = Sanitize::clean($username);
|
||||
$this->query("INSERT INTO `bruteforces` (`ip` , `username` , `expire` ) VALUES ('$ip', '$username', TIMESTAMPADD(SECOND,$expire, NOW()));");
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue