Changeset 6563

Show
Ignore:
Timestamp:
09/04/08 14:43:50 (3 months ago)
Author:
p_lindheimer
Message:

fix SECURITY SQL Injection vulnerability that could allow an authenticated user to access CDR and recorded calls from any other user on the system

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • freepbx/branches/2.5/amp_conf/htdocs/recordings/modules/callmonitor.module

    r6478 r6563  
    204204 
    205205    // table body 
    206     foreach($data as $key=>$value) { 
     206    if (is_array($data)) foreach($data as $key=>$value) { 
    207207 
    208208      // recording file 
     
    387387    } 
    388388 
    389     foreach($data as $data_key => $data_value) { 
     389    if (is_array($data)) foreach($data as $data_key => $data_value) { 
    390390 
    391391      $recording=''; 
     
    555555    // search text 
    556556    if ($q!='*' && $q!=NULL) { 
     557 
     558      $dbh = $_SESSION['dbh_cdr']; 
    557559      $searchText .= "WHERE "; 
    558560      $tok = strtok($q," \n\t"); 
     561      $tok = $dbh->escapeSimple($tok); 
    559562      while ($tok) { 
    560563        $searchText .= " (calldate regexp '" . $tok . "' 
     
    570573                       )"; 
    571574        $tok = strtok(" \n\t"); 
     575        $tok = $dbh->escapeSimple($tok); 
    572576        if ($tok) { 
    573577          $searchText .= " AND"; 
Donate



Support
Download
Develop
Forums
News
Documentation
Paid Support
About

Paid Ads