From 91a1fd074be6534ff07fa0895166d936d1715626 Mon Sep 17 00:00:00 2001 From: Peace-Maker Date: Sun, 31 Jan 2021 22:26:05 +0100 Subject: [PATCH] Fix sql injection in sql-admin-manager plugin This bug was found as part of justCTF 2020 in the PainterHell challenge by cypis. Thank you! Admins with the root flag could inject their own queries towards the admin database connection. The sql-admin-manager plugin is disabled by default. --- plugins/sql-admin-manager.sp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/sql-admin-manager.sp b/plugins/sql-admin-manager.sp index 6433bba4..0ad732b9 100644 --- a/plugins/sql-admin-manager.sp +++ b/plugins/sql-admin-manager.sp @@ -789,7 +789,7 @@ public Action Command_AddAdmin(int client, int args) DBResultSet rs; - Format(query, sizeof(query), "SELECT id FROM sm_admins WHERE authtype = '%s' AND identity = '%s'", authtype, identity); + Format(query, sizeof(query), "SELECT id FROM sm_admins WHERE authtype = '%s' AND identity = '%s'", authtype, safe_identity); if ((rs = SQL_Query(db, query)) == null) { return DoError(client, db, query, "Admin retrieval query failed");