FUDforum: Bug Reports » Apostrophe in e-mail address causes sql failures. Possible vulnerability.

Home » FUDforum Development » Bug Reports » Apostrophe in e-mail address causes sql failures. Possible vulnerability.

Show: Today's Messages :: Polls :: Message Navigator

Apostrophe in e-mail address causes sql failures. Possible vulnerability. [message #7594]

Thu, 05 December 2002 00:57

adamc

Messages: 4
Registered: December 2002

Karma: 0

Junior Member

Apostrophe in e-mail address causes sql failures on New Thread (at least).

The apostropie is not being escaped properly in the SQL creation. This is possibly also evidence of an SQL injection vulnerability, however I have not persued this far enough to check yet.

An apostrophie is allowed in an e-mail address (e.g. Mike.O'Hara(at)test(dot)com) according to the relevant RFC's so it should be accepted.

Report message to a moderator

Re: Apostrophe in e-mail address causes sql failures. Possible vulnerability. [message #7595 is a reply to message #7594]

Thu, 05 December 2002 01:00

adamc

Messages: 4
Registered: December 2002

Karma: 0

Junior Member

Note that the e-mail address parsing code also fails to recognise the e-mail address above as valid and therefore creates an incorrectly formed <A> tag for the address.

Report message to a moderator

Re: Apostrophe in e-mail address causes sql failures. Possible vulnerability. [message #7596 is a reply to message #7595]

Thu, 05 December 2002 01:13

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

Fixed in CVS.

FUDforum Core Developer

Report message to a moderator

Previous Topic:	Getting PHP compilation warning v2.3.5
Next Topic:	v2.3.5 action log

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Sep 20 07:29:50 GMT 2024

Total time taken to generate the page: 0.02660 seconds