MantisBT: master 3e37b404

Author Committer Branch Timestamp Parent
dregad dregad master 2020-11-21 00:34 master 30b37742
Affected Issues  0027495: CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
Changeset

Fix SQL injection in Project API

The query's where clause in project_get_all_user_rows() was built by
concatenating an unsanitized variable, allowing SQL injection via
SOAP API's mc_project_get_users() function using a crafted request.

Relying on DbQuery object ensures use of query parameters, making the
SQL injection impossible.

Partial backport from commit 682a182d4b2ae9abd2edb9c2ed40eb80723988b1.

Fixes 0027495, CVE-2020-28413

mod - core/project_api.php Diff File