Fix critical SQL injection vulnerabilities #160
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Replace all string concatenation in SQL queries with prepared statements to prevent SQL injection attacks. Changes include: - actions/set_language.php: Fix critical $_GET['lng'] injection - actions/switch_profile.php: Fix 5 SQL injections with POST/session data - admin_connect.php: Fix search_id injections from GET/POST - actions/set_location.php: Fix 5 UPDATE queries with session variables - include/functions.php: Fix set_locale() and default_distance() with table name whitelist - include/db_mad.php: Fix gym ID injections in get_gym_by_id() and get_gym_url() - include/db_rdm.php: Fix gym ID injections in get_gym_by_id() and get_gym_url() - header.php: Fix 11 session-based queries throughout - admin_sync.php: Fix 3 queries with session IDs - actions/channel_sync.php: Add database name whitelist validation All queries now use mysqli prepared statements with bind_param() for user and session data. Table and database names use whitelist validation since they cannot be parameterized. Added explanatory comments for security patterns. π€ Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Replace string concatenation in SQL queries with prepared statements to prevent SQL injection attacks. These vulnerabilities are lower priority than the previous commit since they use $_SESSION['id'] rather than direct user input. However, a fault in authentication logic or a compromised identity provider could allow malicious values in $_SESSION['id'], leading to SQL injection. Changes include: - session.php: Fix $_SESSION['id'] injection when checking user database - modal/areas_modal.php: Fix 2 SQL injections with session data - modal/edit_profile_modal.php: Fix 3 SQL injections with session data - modal/distance_*_modal.php: Fix 7 distance query injections (pokemons, raids, gyms, invasions, lures, nests, quests) All queries now use mysqli prepared statements with bind_param() for defense in depth. π€ Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Convert all queries using session variables to prepared statements for defense in depth. Add integer validation for dynamic IN clauses from search functionality. π€ Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Convert queries to prepared statements in: - include/toplinks.php: UNION query with session variables - header.php: IV+PvP configuration check query - pages/display/dashboard.php: Count queries for all tracking types π€ Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Convert all session variable queries to prepared statements in: - pages/display/raid.php: 3 queries (egg, raid level 9000, raid pokemon) - pages/display/quick_pick.php: 2 queries (clean, distance) - pages/display/quest.php: 5 queries (count + 4 reward types) - pages/display/nest.php: 1 query (nests listing) - pages/display/lure.php: 1 query (lures listing) - pages/display/invasion.php: 1 query (invasions listing) - pages/display/gym.php: 1 query (gyms listing) π€ Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Convert all session variable queries to prepared statements: - poracle_api.php: 1 query (admin list from $_SESSION['poracle_admins']) - quick_pick.php: 9 queries (100% IV, 0% IV, PvP rankings, Magikarp/Rattata weights, XXS/XXL sizes) π€ Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Vulnerability
When installing PoracleWeb yesterday I noticed some unexpected PHP debugging output in my web browser, which led to me inspecting part of the source code. While skimming, I noticed numerous unsafe SQL queries, and drafted a quick proof-of-concept to verify that various public pages were vulnerable to unauthenticated SQL injection attacks. I shared the proof of concept code with @bbdoc and one additional user of PoracleWeb in order to validate my findings, but prefer to not share it here since it is a CVE 9.8 vulnerability, capable of being exploited by anonymous users on the internet, and until a remediation is readily available I feel it would cause more harm to point to exactly which codepaths are publicly vulnerable.
Changes in this PR
This PR replaces all dynamic calls to
query($sql)with PreparedStatement calls. In several instances there are dynamic components not able to be guarded by PreparedStatement sanitation, which have had additional guards placed on them to verify integrity of the data before composing the SQL query.AI Disclosure:
I used Claude Code from Anthropic both in the initial triaging of this vulnerability, as well as drafting the patch. Throughout the process I individually reviewed each small change before approving them, often tweaking or re-drafting the result to be more optimal. I have built PHP software in the past professionally, and I have both caused (when much younger) and resolved SQL injection vulnerabilities in my professional career pre-AI, and I am confident in my ability to judge quality output. Everything Claude contributed I could've easily written myself, just would've taken several times as long. Here is the entire chat transcript for the diagnosis and resolution of this issue.
Next steps
I do not have a fully functional instance of PoracleWeb that I can test this change against. Because of this, I'd appreciate any help testing and verifying this fix, both for functionality purposes (make sure I didn't break anything) and security purposes (verify the vulnerability is resolved). I've published my changes as a docker image at ghcr.io/complementarypogo/poracleweb:a0b8b92db463647b06bc7a104a4c818aa46ff9fe. I can be reached here in the comments of this PR, or on discord
@compl3m3nt.π΄ In the meantime I would advise existing operators of PoracleWeb to immediately discontinue use of it until a remediation is available and confirmed, and check your databases and server hosts for signs of tampering or persistent access.