fix(security): fixed sql injection vulnerability in the zero spam adm…

…in log table query
Highfivery · May 8, 2023 · 6c7fca8 · 6c7fca8
1 parent e33ef67
commit 6c7fca8
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 47 deletions.
diff --git a/core/admin/tables/class-logtable.php b/core/admin/tables/class-logtable.php
@@ -208,79 +208,69 @@ public function prepare_items() {
 		// @codingStandardsIgnoreLine
 		$orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_sql_orderby( wp_unslash( $_REQUEST['orderby'] ) ) : 'date_recorded';
 
-		// @codingStandardsIgnoreLine
-		$log_type   = ! empty( $_REQUEST['type'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['type'] ) ) : false;
-		// @codingStandardsIgnoreLine
-		$country    = ! empty( $_REQUEST['country'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['country'] ) ) : false;
-		// @codingStandardsIgnoreLine
-		$user_ip    = ! empty( $_REQUEST['s'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['s'] ) ) : false;
+		$log_type = ! empty( $_REQUEST['type'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['type'] ) ) : false;
+		$country  = ! empty( $_REQUEST['country'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['country'] ) ) : false;
+		$user_ip  = ! empty( $_REQUEST['s'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['s'] ) ) : false;
 
 		// Define the database table.
 		$database_table = $wpdb->prefix . \ZeroSpam\Includes\DB::$tables['log'];
 
-		// Prepare the select statements.
-		$select_array = array( '*' );
-
 		// Order & add extra select statements.
+		$order_statement = '';
 		switch ( $orderby ) {
 			case 'user_ip':
-				$order_statement = "ORDER BY user_ip $order";
+				$order_statement = " ORDER BY user_ip $order";
 				break;
 			case 'country':
-				$order_statement = "ORDER BY country $order";
+				$order_statement = " ORDER BY country $order";
 				break;
 			case 'region':
-				$order_statement = "ORDER BY country $order";
+				$order_statement = " ORDER BY country $order";
 				break;
 			case 'date_recorded':
-				$order_statement = "ORDER BY date_recorded $order";
+				$order_statement = " ORDER BY date_recorded $order";
 				break;
 			case 'log_type':
-				$order_statement = "ORDER BY log_type $order";
+				$order_statement = " ORDER BY log_type $order";
 				break;
 		}
 
 		// Where.
-		$where_array = array();
+		$where_array     = array();
+		$where_statement = '';
 
 		if ( $log_type ) {
-			$where_array[] = "log_type = '$log_type'";
+			$where_array[] = "`log_type` = %s";
+			$database_query_arguments[] = $log_type;
 		}
 
 		if ( $country ) {
-			$where_array[] = "country = '$country'";
+			$where_array[] = "`country` = %s";
+			$database_query_arguments[] = $country;
 		}
 
 		if ( $user_ip ) {
-			$where_array[] = "user_ip = '$user_ip'";
+			$where_array[] = "`user_ip` = %s";
+			$database_query_arguments[] = $user_ip;
 		}
 
+		if ( $where_array ) {
+			$where_statement .= 'WHERE ';
+			$where_statement .= implode( ' AND ', $where_array );
+		}
+
+
 		// Limit.
 		$limit_statement = "LIMIT $per_page";
 		if ( $offset ) {
 			$limit_statement .= ", $offset";
 		}
 
-		// Create the query.
-		$database_query = 'SELECT ';
-
-		$select_statement = implode( ', ', $select_array );
-		$database_query  .= $select_statement . ' ';
-
-		$database_query .= "FROM $database_table ";
-
-		if ( $where_array ) {
-			$database_query .= 'WHERE ';
-			$database_query .= implode( ' AND ', $where_array );
-		}
-
-		if ( ! empty( $order_statement ) ) {
-			$database_query .= $order_statement . ' ';
-		}
-
-		$database_query .= $limit_statement;
+		$database_query = $wpdb->prepare(
+			"SELECT * FROM `$database_table`$where_statement$order_statement $limit_statement",
+			$database_query_arguments
+		);
 
-		// @codingStandardsIgnoreLine
 		$data = $wpdb->get_results( $database_query, ARRAY_A );
 
 		if ( ! $data ) {
@@ -290,12 +280,6 @@ public function prepare_items() {
 		// Get total number of rows.
 		$count_query = "SELECT COUNT(*) FROM $database_table ";
 
-		if ( $where_array ) {
-			$count_query .= 'WHERE ';
-			$count_query .= implode( ' AND ', $where_array );
-		}
-
-		// @codingStandardsIgnoreLine
 		$total_items = $wpdb->get_var( $count_query );
 
 		$this->set_pagination_args(

diff --git a/readme.txt b/readme.txt
@@ -3,9 +3,9 @@ Contributors: bmarshall511
 Tags: protection, firewall, security, spam, spam blocker
 Donate link: https://www.zerospam.org/subscribe/
 Requires at least: 5.2
-Tested up to: 6.1.1
+Tested up to: 6.2.0
 Requires PHP: 7.4
-Stable tag: 5.4.4
+Stable tag: 5.4.5
 License: GNU GPLv3
 License URI: https://choosealicense.com/licenses/gpl-3.0/
 
@@ -107,6 +107,10 @@ If hosting with Pantheon, see their [known issues page](https://pantheon.io/docs
 
 == Changelog ==
 
+= v5.4.5 =
+
+* fix(security): fixed sql injection vulnerability in the zero spam admin log table query
+
 = v5.4.4 =
 
 * refactor(project honeypot): resolves #344, added additional check & debug info for ip type support

diff --git a/wordpress-zero-spam.php b/wordpress-zero-spam.php
@@ -13,7 +13,7 @@
  * Plugin Name:       Zero Spam for WordPress
  * Plugin URI:        https://www.highfivery.com/projects/zero-spam/
  * Description:       Tired of all the ineffective WordPress anti-spam & security plugins? Zero Spam for WordPress makes blocking spam &amp; malicious activity a cinch. <strong>Just activate, configure, and say goodbye to spam.</strong>
- * Version:           5.4.4
+ * Version:           5.4.5
  * Requires at least: 5.2
  * Requires PHP:      7.3
  * Author:            Highfivery LLC
@@ -31,7 +31,7 @@
 define( 'ZEROSPAM', __FILE__ );
 define( 'ZEROSPAM_PATH', plugin_dir_path( ZEROSPAM ) );
 define( 'ZEROSPAM_PLUGIN_BASE', plugin_basename( ZEROSPAM ) );
-define( 'ZEROSPAM_VERSION', '5.4.4' );
+define( 'ZEROSPAM_VERSION', '5.4.5' );
 
 if ( defined( 'ZEROSPAM_DEVELOPMENT_URL' ) ) {
 	define( 'ZEROSPAM_URL', ZEROSPAM_DEVELOPMENT_URL );