MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fixed huge SQL injection vulnerability created in bruteforce protection. 

Shame on me !!!
pull/61/head
Christophe Vandeplas 2012-06-06 11:12:19 +02:00
parent 9cd1b0469d
commit 0687d3f6f4
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/Model/Bruteforce.php
View File

@ -1,5 +1,7 @@
<?php
App::uses('AppModel', 'Model');
App::uses('Sanitize', 'Utility');
/**
* Bruteforce Model
*
@ -8,10 +10,10 @@ class Bruteforce extends AppModel {
function insert($ip, $username) {
// $this->data['Bruteforce']['ip'] = $ip;
// $this->data['Bruteforce']['username'] = $username;
$expire = Configure::read('SecureAuth.expire');
// sanitize fields
$ip = Sanitize::clean($ip);
$username = Sanitize::clean($username);
$this->query("INSERT INTO `bruteforces` (`ip` , `username` , `expire` ) VALUES ('$ip', '$username', TIMESTAMPADD(SECOND,$expire, NOW()));");
}