Skip to content

CVE-2023-34600: add 'intval()' to parse ['id'] #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PunisherHD92 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CVE-2023-34600: add 'intval()' to parse ['id'] #104

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/admin/charts.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['CHARTID'] = DB_RemoveBadChars($_GET['id']);
$content['CHARTID'] = intval(DB_RemoveBadChars($_GET['id']));

// Check if exists
if ( is_numeric($content['CHARTID']) && isset($content['Charts'][ $content['CHARTID'] ]) )
Expand Down Expand Up @@ -268,7 +268,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['CHARTID'] = DB_RemoveBadChars($_GET['id']);
$content['CHARTID'] = intval(DB_RemoveBadChars($_GET['id']));

// Get UserInfo
$result = DB_Query("SELECT DisplayName FROM " . DB_CHARTS . " WHERE ID = " . $content['CHARTID'] );
Expand Down
4 changes: 2 additions & 2 deletions src/admin/fields.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['FieldID'] = DB_RemoveBadChars($_GET['id']);
$content['FieldID'] = intval(DB_RemoveBadChars($_GET['id']));
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This change incorrectly assumes that FieldID is always an integer. However, FieldID can be a string for both internal fields (e.g., SYSLOG_HOST) and for user-defined fields.

Using intval() on a non-numeric string FieldID will convert it to 0, causing operations like 'edit' or 'delete' to target the wrong field. This is a significant bug.

To fix the SQL injection vulnerability correctly for this string identifier, please use a proper database escaping function instead of intval(). For example:

// Assuming a function like DB_EscapeString exists in your DB layer
$content['FieldID'] = DB_EscapeString(DB_RemoveBadChars($_GET['id']));

If your database abstraction layer doesn't provide an escaping function, you should use one specific to your database driver (e.g., mysqli_real_escape_string()).

This feedback also applies to the change at line 142.

Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot Apr 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Forced intval() on FieldID can rewrite valid string IDs and cause wrong or failed edit/delete targeting.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At src/admin/fields.php, line 96:

<comment>Forced `intval()` on `FieldID` can rewrite valid string IDs and cause wrong or failed edit/delete targeting.</comment>

<file context>
@@ -93,7 +93,7 @@
 		{
 			//PreInit these values 
-			$content['FieldID'] = DB_RemoveBadChars($_GET['id']);
+			$content['FieldID'] = intval(DB_RemoveBadChars($_GET['id']));
 
 			if ( isset($fields[$content['FieldID']]['FieldID']) )
</file context>
Suggested change
$content['FieldID'] = intval(DB_RemoveBadChars($_GET['id']));
$content['FieldID'] = DB_RemoveBadChars($_GET['id']);
Fix with Cubic


if ( isset($fields[$content['FieldID']]['FieldID']) )
{
Expand Down Expand Up @@ -139,7 +139,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['FieldID'] = DB_RemoveBadChars($_GET['id']);
$content['FieldID'] = intval(DB_RemoveBadChars($_GET['id']));

// Get UserInfo
$result = DB_Query("SELECT FieldCaption FROM " . DB_FIELDS . " WHERE FieldID = '" . $content['FieldID'] . "'");
Expand Down
4 changes: 2 additions & 2 deletions src/admin/groups.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['GROUPID'] = DB_RemoveBadChars($_GET['id']);
$content['GROUPID'] = intval(DB_RemoveBadChars($_GET['id']));

$sqlquery = "SELECT * " .
" FROM " . DB_GROUPS .
Expand Down Expand Up @@ -261,7 +261,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['GROUPID'] = DB_RemoveBadChars($_GET['id']);
$content['GROUPID'] = intval(DB_RemoveBadChars($_GET['id']));

// Get GroupInfo
$result = DB_Query("SELECT groupname FROM " . DB_GROUPS . " WHERE ID = " . $content['GROUPID'] );
Expand Down
6 changes: 3 additions & 3 deletions src/admin/parsers.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['ParserID'] = DB_RemoveBadChars($_GET['id']);
$content['ParserID'] = intval(DB_RemoveBadChars($_GET['id']));
if ( isset($content['PARSERS'][ $content['ParserID'] ]) )
{
// Get Reference to parser!
Expand Down Expand Up @@ -155,7 +155,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['ParserID'] = DB_RemoveBadChars($_GET['id']);
$content['ParserID'] = intval(DB_RemoveBadChars($_GET['id']));
if ( isset($content['PARSERS'][ $content['ParserID'] ]) )
{
// Get Reference to parser!
Expand Down Expand Up @@ -215,7 +215,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['ParserID'] = DB_RemoveBadChars($_GET['id']);
$content['ParserID'] = intval(DB_RemoveBadChars($_GET['id']));
if ( isset($content['PARSERS'][ $content['ParserID'] ]) )
{
// Get Reference to parser!
Expand Down
12 changes: 6 additions & 6 deletions src/admin/reports.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
$content['ReportID'] = intval(strip_tags(DB_RemoveBadChars($_GET['id'])));
if ( isset($content['REPORTS'][ $content['ReportID'] ]) )
{
// Get Reference to parser!
Expand Down Expand Up @@ -203,7 +203,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
$content['ReportID'] = intval(strip_tags(DB_RemoveBadChars($_GET['id'])));
if ( isset($content['REPORTS'][ $content['ReportID'] ]) )
{
// Get Reference to parser!
Expand Down Expand Up @@ -267,7 +267,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
$content['ReportID'] = intval(strip_tags(DB_RemoveBadChars($_GET['id'])));
if ( isset($content['REPORTS'][ $content['ReportID'] ]) )
{
// Get Reference to parser!
Expand Down Expand Up @@ -334,7 +334,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
$content['ReportID'] = intval(strip_tags(DB_RemoveBadChars($_GET['id'])));

// Init Form variables
$content['ISADDSAVEDREPORT'] = "true";
Expand Down Expand Up @@ -430,7 +430,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['ReportID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
$content['ReportID'] = intval(strip_tags(DB_RemoveBadChars($_GET['id'])));
if ( isset($content['REPORTS'][ $content['ReportID'] ]) )
{
// Get Reference to report!
Expand All @@ -440,7 +440,7 @@
$content['REPORTS_DETAILSFOR'] = GetAndReplaceLangStr( $content['LN_REPORTS_DETAILSFOR'], $content['ReportID'] );

// Now Get data from saved report!
$content['SavedReportID'] = DB_RemoveBadChars($_GET['savedreportid']);
$content['SavedReportID'] = intval(DB_RemoveBadChars($_GET['savedreportid']));

if ( isset($myReport['SAVEDREPORTS'][$content['SavedReportID']]) )
{
Expand Down
4 changes: 2 additions & 2 deletions src/admin/searches.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['SEARCHID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
$content['SEARCHID'] = intval(strip_tags(DB_RemoveBadChars($_GET['id'])));

$sqlquery = "SELECT * " .
" FROM " . DB_SEARCHES .
Expand Down Expand Up @@ -191,7 +191,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['SEARCHID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
$content['SEARCHID'] = intval(strip_tags(DB_RemoveBadChars($_GET['id'])));

// Get UserInfo
$result = DB_Query("SELECT DisplayName FROM " . DB_SEARCHES . " WHERE ID = " . $content['SEARCHID'] );
Expand Down
8 changes: 4 additions & 4 deletions src/admin/sources.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['SOURCEID'] = DB_RemoveBadChars($_GET['id']);
$content['SOURCEID'] = intval(DB_RemoveBadChars($_GET['id']));

// Check if exists
if ( is_numeric($content['SOURCEID']) && isset($content['Sources'][ $content['SOURCEID'] ]) )
Expand Down Expand Up @@ -296,7 +296,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['SOURCEID'] = DB_RemoveBadChars($_GET['id']);
$content['SOURCEID'] = intval(DB_RemoveBadChars($_GET['id']));

// Get SourceInfo
$result = DB_Query("SELECT Name FROM " . DB_SOURCES . " WHERE ID = " . $content['SOURCEID'] );
Expand Down Expand Up @@ -339,7 +339,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['SOURCEID'] = DB_RemoveBadChars($_GET['id']);
$content['SOURCEID'] = intval(DB_RemoveBadChars($_GET['id']));
}

// Check If source is available
Expand Down Expand Up @@ -473,7 +473,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['SOURCEID'] = DB_RemoveBadChars($_GET['id']);
$content['SOURCEID'] = intval(DB_RemoveBadChars($_GET['id']));
}

// Check If source is available
Expand Down
4 changes: 2 additions & 2 deletions src/admin/users.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['USERID'] = DB_RemoveBadChars($_GET['id']);
$content['USERID'] = intval(DB_RemoveBadChars($_GET['id']));
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot Apr 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Incomplete SQLi mitigation: the patch casts GET id but leaves POST id in edituser uncast and concatenated into numeric SQL conditions.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At src/admin/users.php, line 189:

<comment>Incomplete SQLi mitigation: the patch casts GET `id` but leaves POST `id` in `edituser` uncast and concatenated into numeric SQL conditions.</comment>

<file context>
@@ -186,7 +186,7 @@
 		{
 			//PreInit these values 
-			$content['USERID'] = DB_RemoveBadChars($_GET['id']);
+			$content['USERID'] = intval(DB_RemoveBadChars($_GET['id']));
 
 			$sqlquery = "SELECT * " . 
</file context>
Fix with Cubic


$sqlquery = "SELECT * " .
" FROM " . DB_USERS .
Expand Down Expand Up @@ -228,7 +228,7 @@
if ( isset($_GET['id']) )
{
//PreInit these values
$content['USERID'] = DB_RemoveBadChars($_GET['id']);
$content['USERID'] = intval(DB_RemoveBadChars($_GET['id']));

if ( !isset($_SESSION['SESSION_USERNAME']) )
{
Expand Down
6 changes: 3 additions & 3 deletions src/admin/views.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@
if ( isset($_GET['id']) && isset($content['VIEWS'][$_GET['id']]) )
{
//PreInit these values
$content['VIEWID'] = DB_RemoveBadChars($_GET['id']);
$content['VIEWID'] = intval(DB_RemoveBadChars($_GET['id']));
if ( isset($content['VIEWS'][ $content['VIEWID'] ]) )
{

Expand Down Expand Up @@ -191,15 +191,15 @@
{
$content['ISEDITORNEWVIEW'] = false;
$content['ISERROR'] = true;
$content['ERROR_MSG'] = GetAndReplaceLangStr( $content['LN_VIEWS_ERROR_INVALIDID'], isset($_GET['id']) ? $_GET['id'] : "<unknown>" );
$content['ERROR_MSG'] = GetAndReplaceLangStr( $content['LN_VIEWS_ERROR_INVALIDID'], isset($_GET['id']) ? intval($_GET['id']) : "<unknown>" );
}
}
else if ($_GET['op'] == "delete")
{
if ( isset($_GET['id']) )
{
//PreInit these values
$content['VIEWID'] = DB_RemoveBadChars($_GET['id']);
$content['VIEWID'] = intval(DB_RemoveBadChars($_GET['id']));

// Get UserInfo
$result = DB_Query("SELECT DisplayName FROM " . DB_VIEWS . " WHERE ID = " . $content['VIEWID'] );
Expand Down
2 changes: 1 addition & 1 deletion src/reportgenerator.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@
}

if ( isset($_GET['id']) )
$content['reportid'] = DB_RemoveBadChars($_GET['id']);
$content['reportid'] = intval(DB_RemoveBadChars($_GET['id']));
else
{
$content['error_occured'] = "error";
Expand Down