yubikey-val icon indicating copy to clipboard operation
yubikey-val copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Possible SQL injection vulnerability in ykval-synclib.php

Open aqlnce-af opened this issue 4 years ago • 1 comments

https://github.com/Yubico/yubikey-val/blob/master/ykval-synclib.php#L94

Is this not a SQL injection vulnerability?

$res = $this->db->customQuery("SELECT id, secret FROM clients WHERE active='1' AND id='" . $client . "'");

aqlnce-af avatar Jul 31 '20 16:07 aqlnce-af

Looks like it could be. However, the reference implementation contains

https://github.com/Yubico/yubikey-val/blob/19345b76eea90d1cb3996296c12ae616d8151c22/ykval-verify.php#L202

https://github.com/Yubico/yubikey-val/blob/19345b76eea90d1cb3996296c12ae616d8151c22/ykval-common.php#L109

Function is_clientid validates this parameter before its included in the sql query. Probably a good idea to fix the SQL query form anyway, but the ctype_digit filter I suspect should prevent exploitability here in practice.

StormTide avatar Jul 31 '20 17:07 StormTide