antonbolling clan7ups Login/Session sql injection
Description
A vulnerability, which was classified as critical, was found in antonbolling clan7ups. Affected is an unknown function of the component Login/Session. The manipulation leads to sql injection. The name of the patch is 25afad571c488291033958d845830ba0a1710764. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218388.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in clan7ups login/session functions allows attackers to execute arbitrary SQL queries via unsanitized user input.
Vulnerability
The clan7ups application, specifically in the Login/Session component, contains multiple SQL injection vulnerabilities. The functions new_session, get_session, get_access, and no_access directly interpolate user-supplied parameters (such as $uid, $magic) into SQL queries without sanitization or parameterization. This affects all versions prior to the commit 25afad571c488291033958d845830ba0a1710764 [1]. The code path is reachable whenever a user interacts with session management or authentication endpoints.
Exploitation
An attacker can exploit these vulnerabilities by sending crafted HTTP requests to the application, providing malicious input in parameters like uid or magic. No authentication is required if the vulnerable endpoints are publicly accessible. The attacker simply needs to inject SQL syntax into these parameters; the application then executes the manipulated query against the database.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized reading, modification, or deletion of data, including user credentials and session information. The attacker may escalate privileges or gain full control over the application's data.
Mitigation
The vulnerability is fixed in commit 25afad571c488291033958d845830ba0a1710764 [1], which replaces direct string interpolation with prepared statements using placeholders. Users should apply this patch immediately. No other workarounds are documented.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: n/a
Patches
125afad571c48this codebase is riddled with sql injection vulnerabilities; fix some of the key vulnerabilities in login/session code
2 files changed · +21 −22
www/cgi-bin/login.pl+7 −7 modified@@ -53,17 +53,17 @@ } #login is real, check the password -$sth = $dbh->prepare("select id from users where name='$login' and pass=PASSWORD('$pass')"); -$sth->execute; +my $login_sql = $dbh->prepare("select id from users where name=? and pass=PASSWORD(?)"); +$login_sql->execute($login,$pass); -my $valid_login = $sth->rows; -my ($uid) = $sth->fetchrow_array; +my $valid_login = $login_sql->rows; +my ($uid) = $login_sql->fetchrow_array; if ($valid_login) { # Login was valid, get the current time. - my $sth = $dbh->prepare("select unix_timestamp(now())"); - $sth->execute; - my ($time) = $sth->fetchrow_array; + my $time_sql = $dbh->prepare("select unix_timestamp(now())"); + $time_sql->execute; + my ($time) = $time_sql->fetchrow_array; my $magic = new_session($dbh, $uid); my $CGI_params = $q->Vars;
www/cgi-bin/session.pl+14 −15 modified@@ -17,8 +17,10 @@ sub new_session { # Make sequence numbers random. my $magic = int rand(2147483648); - $dbh->do("update users set magic=$magic where id=$uid"); - $dbh->do("update users set session_stamp=now() where id=$uid"); + my $sql = $dbh->prepare("update users set magic=? where id=?"); + $sql->execute($magic,$uid); + $sql = $dbh->prepare("update users set session_stamp=now() where id=?"); + $sql->execute($uid); return $magic; } @@ -34,21 +36,18 @@ sub get_session { # print "<p>PASSED uid, magic: $uid, $cgi_magic</p>"; - my $sth = $dbh->prepare("select magic, UNIX_TIMESTAMP(now())-UNIX_TIMESTAMP(session_stamp) as elapsed from users where id=$uid"); - $sth->execute; + my $sth = $dbh->prepare("select magic, UNIX_TIMESTAMP(now())-UNIX_TIMESTAMP(session_stamp) as elapsed from users where id=?"); + $sth->execute($uid); my ($db_magic, $elapsed) = $sth->fetchrow_array; # print "<p>FOUND magic, elapsed: $db_magic, $elapsed</p>\n"; if (($db_magic == $cgi_magic) and ($elapsed < $session_timeout)) { # Set a new session timestamp, update magic. my $new_magic = int rand(2147483648); - $dbh->do("update users set session_stamp=now(), magic=$new_magic where id=$uid"); + my $sql = $dbh->prepare("update users set session_stamp=now(), magic=? where id=?"); + $sql->execute($new_magic,$uid); - # Put magic into cgi query. -# my $vars = $q->Vars; -# $vars->{'magic'} = $new_magic; - # Successfully continued session... return 1; } else { @@ -63,8 +62,8 @@ sub get_access { my ($dbh, $q, $view_time) = @_; my $uid = cook_int($q->param('uid')); - my $sth = $dbh->prepare("select access from users where id=$uid"); - $sth->execute; + my $sth = $dbh->prepare("select access from users where id=?"); + $sth->execute($uid); my ($access) = $sth->fetchrow_array; return $access; @@ -76,8 +75,8 @@ sub no_access { my $action = cook_word($q->param('action')); # Log it. - my $sth = $dbh->prepare("insert into log (user,action,cdata1) values($uid,'accessdenied','$action')"); - $sth->execute; + my $sth = $dbh->prepare("insert into log (user,action,cdata1) values(?,'accessdenied','$action')"); + $sth->execute($uid); # Notify the user. print <<EOT; @@ -96,8 +95,8 @@ sub get_session_info { my $uid = cook_int($q->param('uid')); my $magic = cook_int($q->param('magic')); - my $sth = $dbh->prepare("select magic from users where id=$uid"); - $sth->execute; + my $sth = $dbh->prepare("select magic from users where id=?"); + $sth->execute($uid); my ($nextmagic) = $sth->fetchrow_array; return "<input type='hidden' name='uid' value='$uid'>\n<input type='hidden' name='magic' value='$nextmagic'>\n";
Vulnerability mechanics
Root cause
"Direct interpolation of user-controlled CGI parameters into SQL query strings without parameterization or sanitization."
Attack vector
An attacker can supply crafted values for the `uid`, `magic`, `login`, `pass`, or `action` CGI parameters. Because these values were concatenated directly into SQL statements without sanitization, the attacker can inject arbitrary SQL commands. For example, passing a malicious `uid` parameter to `session.pl` would allow the attacker to bypass authentication, extract data, or modify the database. The attack requires only network access to the CGI endpoints and no prior authentication [ref_id=1].
Affected code
The vulnerability spans multiple CGI scripts. In `www/cgi-bin/session.pl`, the `new_session`, `get_session`, `get_access`, `no_access`, and `get_session_info` subroutines directly interpolated user-controlled variables (`$uid`, `$action`) into SQL query strings. In `www/cgi-bin/login.pl`, the login query interpolated `$login` and `$pass` directly. The patch converts all these queries to use parameterized placeholders (`?`) with `execute()`.
What the fix does
The patch replaces all instances of string interpolation in SQL queries with parameterized prepared statements. For example, `"update users set magic=$magic where id=$uid"` becomes `"update users set magic=? where id=?"` followed by `$sql->execute($magic,$uid)`. This change ensures that user-supplied values are always treated as data, not executable SQL code, preventing injection attacks. The same pattern is applied across `session.pl` and `login.pl` for every affected query [patch_id=2243863].
Preconditions
- networkNetwork access to the CGI endpoints (session.pl, login.pl)
- inputAbility to supply arbitrary values for CGI parameters such as uid, magic, login, pass, or action
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/antonbolling/clan7ups/commit/25afad571c488291033958d845830ba0a1710764mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.