Merge branch 'ent-12752-unauth-time-based-sql-injection' into 'develop'

Ent 12752 Unauth Time-Based SQL Injection See merge request artica/pandorafms!6861
2024-01-23 07:38:34 +00:00 · 2024-01-23 07:38:34 +00:00 · 013d2119d6
parent 30f6e9ea36 ae9b786dd5
commit 013d2119d6
1 changed files with 4 additions and 1 deletions
--- a/pandora_console/extensions/grafana/index.php
+++ b/pandora_console/extensions/grafana/index.php
@ -23,7 +23,10 @@ if ($headers['X-DS-Authorization']) {

        list($user, $password) = explode(':', base64_decode($headers['X-DS-Authorization']));

-        // Check user login
+        // Prevent sql injection.
+        $user = mysqli_real_escape_string($config['dbconnection'], $user);
+
+        // Check user login.
        $user_in_db = process_user_login($user, $password, true);

    if ($user_in_db !== false) {