High severity8.2NVD Advisory· Published May 21, 2026· Updated May 21, 2026
CVE-2026-48235
CVE-2026-48235
Description
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-48235: SQL injection in Open ISES Tickets before 3.44.2 via unsanitized external GPS data fields allows authenticated or network-positioned attackers to manipulate responder location, tracks, and assignment tables.
Vulnerability
Overview
CVE-2026-48235 is a SQL injection vulnerability discovered in Open ISES Tickets, a helpdesk/ticketing application, affecting versions prior to 3.44.2. The flaw resides in the file incs/remotes.inc.php, where the application integrates with external GPS tracking services—specifically InstaMapper and Google Latitude—to ingest location data from responders. Fields such as latitude, longitude, callsign, mph, altitude, and timestamp are parsed from XML or JSON responses provided by these services and are directly concatenated into UPDATE and INSERT SQL statements without any sanitization or parameterization [1]. This lack of input validation means that an attacker who controls the data sent from the GPS tracking endpoint can inject malicious SQL commands into the database queries.
Exploitation
Prerequisites and Method
Exploitation requires the ability to either compromise the legitimate external GPS tracker endpoint used by the Open ISES Tickets instance, or to impersonate that endpoint (e.g., via a man-in-the-middle attack or by manipulating DNS). An attacker does not need prior authentication to the Open ISES Tickets application itself, but they must be able to inject crafted payloads into the latitude, longitude, or other monitored fields that are processed by remotes.inc.php. Once the vulnerable code processes these values, the SQL injection payload is executed within the context of the application's database connection [1]. The attack surface is therefore network-based, targeting the trust relationship between the ticketing system and its external GPS data provider.
Impact
Successful exploitation of this SQL injection can lead to unauthorized manipulation of sensitive data within the Open ISES Tickets database. Specifically, an attacker can modify the location records of responders, alter the tracks they have recorded, and change assignments between tickets and responders. This could enable an attacker to forge incorrect location histories, reassign tickets arbitrarily, or corrupt the operational data of the emergency or field service operation using the system [1]. While the CVE description does not indicate data exfiltration as the primary goal, the ability to write arbitrary data into the responder, tracks, and assignment tables could have severe consequences for the integrity and reliability of the incident response process.
Mitigation
The vulnerability has been patched in Open ISES Tickets version 3.44.2, which was released as a critical security update [2]. This release addresses 19 SQL injection vulnerabilities across 11 files, including the flaw described in CVE-2026-48235. All users are strongly advised to upgrade to version 3.44.2 or later immediately. For Docker deployments, the recommended upgrade path is docker compose pull && docker compose up -d; for traditional installations, users should download the latest archive, extract it over their existing installation, and run the installer in Upgrade mode [2]. No workarounds have been provided by the vendor, underscoring the importance of applying the patch.
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.44.2
Patches
1ecfeb406a016Security: Fix 69 reflected XSS vulnerabilities across 22 files
29 files changed · +89 −89
add_facnote.php+1 −1 modified@@ -137,7 +137,7 @@ function validate () { <TD class='td_data'><TEXTAREA NAME='frm_notes' tabindex=4 COLS=60 ROWS = 3><?php print $notes;?></TEXTAREA></TD> </TR> </TABLE> - <INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' /> + <INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' /> <INPUT TYPE = 'hidden' NAME = 'frm_existing' VALUE='<?php print $existing;?>' /> </FORM> </DIV>
add_nm.php+2 −2 modified@@ -344,7 +344,7 @@ function do_notify() { var theAddresses = '<?php print implode("|", array_unique($addrs));?>'; // drop dupes var theText= "TICKET - New: "; - var theId = '<?php print $_POST['ticket_id'];?>'; + var theId = '<?php print intval($_POST['ticket_id']);?>'; // mail_it ($to_str, $text, $theId, $text_sel=1;, $txt_only = FALSE) @@ -423,7 +423,7 @@ function do_notify() { // dummy </FORM> <FORM NAME='to_routes' METHOD='get' ACTION='routes.php'> - <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' /> + <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' /> <INPUT TYPE='submit' VALUE='Routes' /></CENTER> </FORM> <?php
add_note.php+1 −1 modified@@ -103,7 +103,7 @@ function set_signal(inval) { <B>Apply to</B> : Description » <INPUT TYPE = 'radio' NAME='frm_add_to' value='0' CHECKED /> <?php print $disposition;?> » <INPUT TYPE = 'radio' NAME='frm_add_to' value='1' /> - <INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' /> + <INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' /> </FORM> </DIV> </DIV>
add.php+1 −1 modified@@ -653,7 +653,7 @@ function updt_ticket($id) { /* 1/25/09 */ <SPAN id='sub_but' class='plain text' style='float: none;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.to_main.submit();'>Main</SPAN><BR /> <BR /> <FORM NAME='to_routes' METHOD='get' ACTION='<?php print $_SESSION['routesfile'];?>'> - <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' /> + <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' /> </FORM> <SPAN id='sub_but' class='plain text' style='float: none;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.to_routes.submit();'>Routes</SPAN> </CENTER>
circle.php+1 −1 modified@@ -1342,7 +1342,7 @@ function toggle(the_value) { <BODY onload = 'document.dummy.submit();'> <FORM NAME='dummy' METHOD = 'post' ACTION = '<?php echo basename(__FILE__);?>'> <INPUT TYPE = 'hidden' NAME = '_func' VALUE = 'r' /> -<INPUT TYPE = 'hidden' NAME = 'id' VALUE = '<?php echo $_POST['frm_id'];?>' /> +<INPUT TYPE = 'hidden' NAME = 'id' VALUE = '<?php echo intval($_POST['frm_id']);?>' /> </FORM></BODY></HTML> <?php
db_loader.php+6 −6 modified@@ -633,12 +633,12 @@ function confirm_delete() { </DIV> </DIV> - <INPUT name='ticketshost' type='hidden' VALUE='<?php print $_POST['ticketshost'];?>' /> - <INPUT name='ticketsdb' type='hidden' VALUE='<?php print $_POST['ticketsdb'];?>' /> - <INPUT name='ticketsuser' type='hidden' VALUE='<?php print $_POST['ticketsuser'];?>' /> - <INPUT name='ticketspassword' type='hidden' VALUE='<?php print $_POST['ticketspassword'];?>' /> - <INPUT name='ticketsprefix' type='hidden' VALUE='<?php print $_POST['ticketsprefix'];?>' /> - <INPUT name='db_schema' type='hidden' VALUE='<?php print $_POST['db_schema'];?>' /> + <INPUT name='ticketshost' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketshost'], ENT_QUOTES, 'UTF-8');?>' /> + <INPUT name='ticketsdb' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketsdb'], ENT_QUOTES, 'UTF-8');?>' /> + <INPUT name='ticketsuser' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketsuser'], ENT_QUOTES, 'UTF-8');?>' /> + <INPUT name='ticketspassword' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketspassword'], ENT_QUOTES, 'UTF-8');?>' /> + <INPUT name='ticketsprefix' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketsprefix'], ENT_QUOTES, 'UTF-8');?>' /> + <INPUT name='db_schema' type='hidden' VALUE='<?php print htmlspecialchars($_POST['db_schema'], ENT_QUOTES, 'UTF-8');?>' /> <INPUT name='page_background' type='hidden' VALUE='<?php print $page_background;?>' /> <INPUT name='normal_text' type='hidden' VALUE='<?php print $normal_text;?>' /> <INPUT name='form_input_background' type='hidden' VALUE='<?php print $form_input_background;?>' />
delete_module.php+7 −7 modified@@ -63,15 +63,15 @@ function mod_table_exists($tablename) { //check if mysql table exists, if it's <TR><TH class='heading'>Module Deletion - Confirmation</TH></TR> <TR><TD> </TD></TR> <TR><TD> </TD></TR> - <FORM NAME="delete_2" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> - <TR><TD style='font-size: 14px; font-weight: bold; background-color: #AEAEAE; text-align: center;'>Selected Module: <?php print $_POST['module_choice'];?></TD></TR> + <FORM NAME="delete_2" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>" method="post"> + <TR><TD style='font-size: 14px; font-weight: bold; background-color: #AEAEAE; text-align: center;'>Selected Module: <?php print htmlspecialchars($_POST['module_choice'], ENT_QUOTES, 'UTF-8');?></TD></TR> <TR><TD> </TD></TR> <TR><TD> </TD></TR> <TR><TD> </TD></TR> <TR><TD CLASS="td_label">Click Submit to confirm module deletion or Cancel to abort</TD></TR> <TR><TD> </TD></TR> <TR><TD> </TD></TR> - <INPUT TYPE='hidden' NAME='confirmation' VALUE='<?php print $_POST['module_choice'];?>'> + <INPUT TYPE='hidden' NAME='confirmation' VALUE='<?php print htmlspecialchars($_POST['module_choice'], ENT_QUOTES, 'UTF-8');?>'> <INPUT TYPE='hidden' NAME='flag' VALUE='Confirmation Received'> <TR><TD ALIGN="center"><INPUT TYPE="button" VALUE="Cancel" onClick="window.location.href='config.php'" > <input type="submit" name="submit" value="Submit" /></TD></TR> </FORM></TABLE> @@ -102,8 +102,8 @@ function rmdir_recurse($path) { ?> <DIV style='background-color:#CECECE; position: absolute; width: 60%; height: 60%; left: 20%; top: 10%; border:2px inset #FFF2BF; display: block; text-align: center'> - <BR /><BR /><BR /><BR /><?php print $_POST['flag'];?><BR /><BR /> - Deleting Tickets Module........<?php print $_POST['confirmation'];?><BR /><BR /> + <BR /><BR /><BR /><BR /><?php print htmlspecialchars($_POST['flag'], ENT_QUOTES, 'UTF-8');?><BR /><BR /> + Deleting Tickets Module........<?php print htmlspecialchars($_POST['confirmation'], ENT_QUOTES, 'UTF-8');?><BR /><BR /> Dropping Table........<?php print $table;?>........... <?php $query = "DROP table `{$GLOBALS['mysql_prefix']}" . $table ."`"; @@ -115,7 +115,7 @@ function rmdir_recurse($path) { } ?> - Removing Directory and files /modules/<?php print $_POST['confirmation'];?>.......... + Removing Directory and files /modules/<?php print htmlspecialchars($_POST['confirmation'], ENT_QUOTES, 'UTF-8');?>.......... <?php $directory = $tickets_dir . "/modules/" . $module_name; $rem_dir = rmdir_recurse($directory); @@ -162,7 +162,7 @@ function rmdir_recurse($path) { <DIV style='background-color:#CECECE; position: absolute; width: 40%; height: 20%; left: 5%; top: 10%; border:2px inset #FFF2BF; display: block'> <TABLE BORDER="0"> <TH COLSPAN="2">Delete a Tickets Module<BR /></TH> - <FORM NAME="delete_1" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> + <FORM NAME="delete_1" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>" method="post"> <TR CLASS="even"><TD CLASS="td_label">Module: </TD><TD><?php print $choice;?></TD> <TR CLASS="even"><TD COLSPAN="2" ALIGN="center"><input type="submit" name="submit" value="Submit" /></TD></TR> </FORM></TABLE>
do_unit_mail.php+1 −1 modified@@ -66,7 +66,7 @@ function subval_sort($a,$subkey) { } elseif((!(empty($_GET))) && (array_key_exists('the_ticket', $_GET)) && $_GET['the_ticket'] == "doselect") { // 10/23/12 $step = 1; } elseif((!(empty($_GET))) && (array_key_exists('the_ticket', $_GET)) && $_GET['the_ticket'] != "undefined" && $_GET['the_ticket'] != "doselect") { // 10/23/12 - $tik_id = $_GET['the_ticket']; + $tik_id = intval($_GET['the_ticket']); $step = (((integer) $_GET['the_ticket'])==0)? 0 : 2 ; } else { // dump(__LINE__);
icons/buttons/landb.php+3 −3 modified@@ -632,7 +632,7 @@ function waiter() { </SCRIPT> </HEAD> <BODY onLoad = "waiter();"> -<DIV align="center" ID = 'c_id'><BR /><BR /><BR/><H3>'<?php echo $_POST['frm_name'];?>' added</H3></DIV> +<DIV align="center" ID = 'c_id'><BR /><BR /><BR/><H3>'<?php echo htmlspecialchars($_POST['frm_name'], ENT_QUOTES, 'UTF-8');?>' added</H3></DIV> </BODY></HTML> <?php break; // end case "c" @@ -979,14 +979,14 @@ function toggle(the_value) { <SCRIPT> function waiter() { document.navform._func.value="r"; - document.navform.id.value=<?php echo $_POST['frm_id'];?> + document.navform.id.value=<?php echo intval($_POST['frm_id']);?> // fade("up_id;") setTimeout("document.navform.submit()",2000); } </SCRIPT> </HEAD> <BODY onLoad = "waiter();"> -<DIV align="center" ID = 'up_id'><BR /><BR /><BR/><H3>'<?php echo $_POST['frm_name'];?>' update complete</H3></DIV> +<DIV align="center" ID = 'up_id'><BR /><BR /><BR/><H3>'<?php echo htmlspecialchars($_POST['frm_name'], ENT_QUOTES, 'UTF-8');?>' update complete</H3></DIV> </BODY> </HTML> <?php
ics202.php+1 −1 modified@@ -219,7 +219,7 @@ function in_check( $name, $tabindex, $value, $ischecked) { // <input type=text echo template_ics ($item); // fills form with default $item entries ?> <input type = 'hidden' name = 'step' value = 2 /> -<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST['frm_add_str'];?>'/> +<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8');?>'/> </form> <script> function validate(our_form) { // ics form name check
ics205a.php+1 −1 modified@@ -178,7 +178,7 @@ function in_text( $name, $size, $tabindex, $data = "") { // <input type=text . echo template_205a ($item); // fills form with default $item entries ?> <input type = 'hidden' name = 'step' value = 2 /> -<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST['frm_add_str'];?>'/> +<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8');?>'/> </form> <script> function validate(our_form) { // ics form name check
ics205.php+1 −1 modified@@ -257,7 +257,7 @@ function in_text( $name, $size, $tabindex, $data = "") { // <input type=text . ?> <p style = 'margin-top:20px;'> <input type = 'hidden' name = 'step' value = 2 /> - <input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST['frm_add_str'];?>'/> + <input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8');?>'/> </form> </p>
ics213.php+1 −1 modified@@ -35,7 +35,7 @@ function template_213_t () { // table-only portion of page global $item; $out_str = "<TABLE DIR='LTR' BORDER=1 BORDERCOLOR='#000000' CELLPADDING=0 CELLSPACING=0 STYLE='width: 20.32cm; border:2px solid black; background-color: white;'>"; $out_str .= "\n<FORM NAME = 'ics213_form' METHOD = 'post' ACTION = '" . basename(__FILE__) . "' >\n"; - $out_str .= "\n<INPUT TYPE = 'hidden' NAME = 'frm_add_str' VALUE = '{$_POST['frm_add_str']}'/>\n"; + $out_str .= "\n<INPUT TYPE = 'hidden' NAME = 'frm_add_str' VALUE = '" . htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8') . "'/>\n"; $out_str .= "<INPUT TYPE = 'hidden' NAME = 'step' VALUE = 2> <COL WIDTH=46*> <COL WIDTH=54*>
ics213rr.php+1 −1 modified@@ -378,7 +378,7 @@ function in_text( $name, $size, $data, $dis) { // <input type=text ... <SPAN ID='sub_but' class='plain text' style='float: none; width: 120px;; display: inline-block;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick="validate(this.form);"><SPAN STYLE='float: left;'><?php print get_text("Next");?></SPAN><IMG STYLE='float: right;' SRC='./images/submit_small.png' BORDER=0></SPAN><BR /> </div> <input type = 'hidden' name = 'step' value = 2 /> -<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST["frm_add_str"];?>'/> +<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST["frm_add_str"], ENT_QUOTES, 'UTF-8');?>'/> </form> <script> function validate(our_form) { // ics form name check
ics214.php+1 −1 modified@@ -214,7 +214,7 @@ function in_text( $name, $size, $tabindex, $data = "") { // <input type=text . echo template_ics ($item); // fills form with default $item entries ?> <input type = 'hidden' name = 'step' value = 2 /> -<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST['frm_add_str'];?>'/> +<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8');?>'/> </form> <script> function validate(our_form) { // ics form name check
incs/mail_form.php+1 −1 modified@@ -533,7 +533,7 @@ function subval_sort($a,$subkey) { LEFT JOIN `$GLOBALS[mysql_prefix]responder` `r` ON (`a`.`responder_id` = `r`.`id`) LEFT JOIN `$GLOBALS[mysql_prefix]un_status` `s` ON (`r`.`un_status_id` = `s`.`id`) LEFT JOIN `$GLOBALS[mysql_prefix]ticket` `t` ON (`a`.`ticket_id` = `t`.`id`) - WHERE `ticket_id` = {$_GET['ticket_id']} AND (LOCATE('@', `contact_via`) > 1 || (`smsg_id` IS NOT NULL AND `smsg_id` <> '')) + WHERE `ticket_id` = " . intval($_GET['ticket_id']) . " AND (LOCATE('@', `contact_via`) > 1 || (`smsg_id` IS NOT NULL AND `smsg_id` <> '')) AND ((`clear` IS NULL) OR (DATE_FORMAT(`clear`,'%y') = '00')) ORDER BY `name` ASC "; $tik_id = $_GET['ticket_id'];
landb.php+1 −1 modified@@ -771,7 +771,7 @@ function buildMap_c() { // 'create' version - 691 <INPUT TYPE='hidden' NAME = '_func' VALUE='cp' /> <INPUT TYPE='hidden' NAME = 'frm_line_status' VALUE='0' /> <INPUT TYPE='hidden' NAME = 'frm_line_cat_id' VALUE='0' /> - <INPUT TYPE='hidden' NAME = 'frm_line_type' VALUE='<?php echo $_POST['_type'];?>' /> + <INPUT TYPE='hidden' NAME = 'frm_line_type' VALUE='<?php echo htmlspecialchars($_POST['_type'], ENT_QUOTES, 'UTF-8');?>' /> <INPUT TYPE='hidden' NAME = 'frm_line_data' VALUE='' /> <INPUT TYPE='hidden' NAME = 'frm_filled' VALUE='0' /> <INPUT TYPE='hidden' NAME = 'frm_use_with_bm' VALUE='0' />
opena.php+2 −2 modified@@ -9,7 +9,7 @@ error_reporting(E_ALL); //10/1/08 require_once('./incs/functions.inc.php'); //7/28/10 -$call = (empty($_GET))? "": $_GET['frm_call']; // 10/1/08 +$call = (empty($_GET))? "": htmlspecialchars($_GET['frm_call'], ENT_QUOTES, 'UTF-8'); // 10/1/08 ?> @@ -60,7 +60,7 @@ function do_focus() { print "<BR /><H3>Test with aprs.fi succeeds!</H3>"; $temp = ($data->found ); // match count if($temp==0) { - print "<BR /><H3>No data for '{$_GET['frm_call']}'</H3><BR />"; + print "<BR /><H3>No data for '" . htmlspecialchars($_GET['frm_call'], ENT_QUOTES, 'UTF-8') . "'</H3><BR />"; } else { $entry = (object) $data->entries[0];
os_watch.php+7 −7 modified@@ -318,7 +318,7 @@ function do_tbl_footer() { </tr> </table> <input type = hidden name = "mode" value = 11 /> <!-- do_LOG_DB --> -<input type = hidden name = "ref" value = "<?php echo $_POST['ref'];?>" /> +<input type = hidden name = "ref" value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" /> </form> </body> @@ -384,7 +384,7 @@ function set_signal(inval) { <form name='osw_form' method='post' action = '<?php echo basename(__FILE__) ;?>'> <input type = hidden name = "mode" value = "13" /> <!-- do_NOTE_DB --> -<input type = hidden name = "ref" value = "<?php echo $_POST['ref'];?>" /> +<input type = hidden name = "ref" value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" /> <input type = hidden name = 'frm_type' value='' /> <textarea name='frm_text' cols=70 rows = 2 placeholder = "Enter note text"></textarea> <br /> @@ -434,9 +434,9 @@ function set_signal(inval) { ?> <BODY onload = "setTimeout(function(){ do_can(); }, 1500);"> <!-- 1/14/10 --> <form name = "osw_form" method = "post" action = "<?php echo basename(__FILE__); ?>"> -<input type = hidden name = "mode" value = "<?php echo $_POST['mode_orig'];?>" /> <!-- original entry --> -<input type = hidden name = "mode_orig" value = "<?php echo $_POST['mode_orig'];?>" /> -<input type = hidden name = "ref" value = "<?php echo $_POST['ref'];?>" /> +<input type = hidden name = "mode" value = "<?php echo htmlspecialchars($_POST['mode_orig'], ENT_QUOTES, 'UTF-8');?>" /> <!-- original entry --> +<input type = hidden name = "mode_orig" value = "<?php echo htmlspecialchars($_POST['mode_orig'], ENT_QUOTES, 'UTF-8');?>" /> +<input type = hidden name = "ref" value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" /> </form> <center> @@ -546,7 +546,7 @@ function validate () { <form name = 'osw_form' method = post action = "<?php echo basename(__FILE__); ?>"> <input type = hidden name = "mode" value = 15 /> <!-- do_MAIL_SEND --> -<input type = hidden name = "ref" value = "<?php echo $_POST['ref'];?>" /> +<input type = hidden name = "ref" value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" /> <center> <TABLE ALIGN='center' BORDER = 0 style = 'margin-top:20px;'> <TR CLASS='odd'><TH COLSPAN=2>Mail to: <?php print $row['handle']; ?></TH></TR> <!-- 7/2/10 --> @@ -625,7 +625,7 @@ function validate () { <CENTER><BR /><BR /><BR /><H3>Message sent - window closing</H3> <form name = 'osw_form' method = post action = "<?php echo basename(__FILE__); ?>"> <input type = hidden name = "mode" value = "" /> -<input type = hidden name = "ref" value = "<?php echo $_POST['ref'];?>" /> +<input type = hidden name = "ref" value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" /> </form> <?php
patient_JF.php+4 −4 modified@@ -209,7 +209,7 @@ function do_lock(theForm) { // 8/10/08 function do_notify() { var theAddresses = '<?php print implode("|", array_unique($addrs));?>'; // drop dupes var theText= "TICKET - PATIENT: "; - var theId = '<?php print $_GET['ticket_id'];?>'; + var theId = '<?php print intval($_GET['ticket_id']);?>'; // mail_it ($to_str, $text, $ticket_id, $text_sel=1;, $txt_only = FALSE) var params = "frm_to="+ escape(theAddresses) + "&frm_text=" + escape(theText) + "&frm_ticket_id=" + escape(theId) + "&text_sel=1"; // ($to_str, $text, $ticket_id) 10/15/08 @@ -326,7 +326,7 @@ function do_notify() { // dump(stripslashes($row['description'])); ?> <FONT CLASS="header">Edit <?php print get_text("Patient");?> Record</FONT><BR /><BR /> - <FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="patient.php?id=<?php print $_GET['id'];?>&ticket_id=<?php print $_GET['ticket_id'];?>&action=update"><TABLE BORDER="0"> + <FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="patient.php?id=<?php print intval($_GET['id']);?>&ticket_id=<?php print intval($_GET['ticket_id']);?>&action=update"><TABLE BORDER="0"> <TR CLASS='even' > <TD><B>Patient Number: <font color='red' size='-1'>*</font></B></TD><TD><INPUT TYPE="text" NAME="frm_name" value="<?php print $row['name'];?>" size="32"></TD></TR> <TR CLASS='odd' VALIGN='top'><TD><B>Description:</B> <font color='red' size='-1'>*</font></TD><TD><TEXTAREA ROWS="8" COLS="45" NAME="frm_description" WRAP="virtual"><?php print $row['description'];?></TEXTAREA></TD></TR> @@ -346,7 +346,7 @@ function do_notify() { else { ?> <BR /><BR /><FONT CLASS="header">Add <?php print get_text("Patient");?> Record</FONT><BR /><BR /> - <FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);' ACTION="patient.php?ticket_id=<?php print $_GET['ticket_id'];?>&action=add"><TABLE BORDER="0"> + <FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);' ACTION="patient.php?ticket_id=<?php print intval($_GET['ticket_id']);?>&action=add"><TABLE BORDER="0"> <TR CLASS='even' > <TD><B>Patient Number:</B> <font color='red' size='-1'>*</font></TD><TD><INPUT TYPE="text" NAME="frm_name" value="" size="32"></TD></TR> <TR CLASS='odd' ><TD><B>Description: </B><font color='red' size='-1'>*</font></TD><TD><TEXTAREA ROWS="8" COLS="45" NAME="frm_description" WRAP="virtual"></TEXTAREA></TD></TR> <!-- 10/19/08 --> @@ -362,7 +362,7 @@ function do_notify() { } ?> <FORM NAME='can_Form' ACTION="main.php"> -<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>"> +<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print intval($_GET['ticket_id']);?>"> </FORM> </HTML> <?php
patient.php+3 −3 modified@@ -466,7 +466,7 @@ function do_reset (the_form) { $row = stripslashes_deep($result->fetch_assoc()); ?> <SPAN STYLE='margin-left:83px;'><FONT CLASS="header">Edit <?php print get_text('Patient');?> Record</FONT></SPAN><BR /><BR /> - <FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="patient.php?id=<?php print $_GET['id'];?>&ticket_id=<?php print $_GET['ticket_id'];?>&action=update"><TABLE BORDER="0"> + <FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="patient.php?id=<?php print intval($_GET['id']);?>&ticket_id=<?php print intval($_GET['ticket_id']);?>&action=update"><TABLE BORDER="0"> <TABLE BORDER="0"> <TR CLASS='even'> <TD CLASS='td_label text'> @@ -686,7 +686,7 @@ function do_reset (the_form) { $pulldown .= "<option value=\"{$row_fc['id']}\">" . $row_fc['name'] . "</option>\n"; } ?> - <FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);' ACTION="patient.php?ticket_id=<?php print $_GET['ticket_id'];?>&action=add"> + <FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);' ACTION="patient.php?ticket_id=<?php print intval($_GET['ticket_id']);?>&action=add"> <TABLE BORDER="0"> <TR CLASS='header'> <TD COLSPAN='99' ALIGN='center'> @@ -822,7 +822,7 @@ function do_reset (the_form) { } ?> <FORM NAME='can_Form' ACTION="main.php"> -<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>"> +<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print intval($_GET['ticket_id']);?>"> </FORM> <SCRIPT LANGUAGE="Javascript"> if (typeof window.innerWidth != 'undefined') {
patient_w.php+6 −6 modified@@ -338,7 +338,7 @@ function set_signal(inval) { $row = stripslashes_deep($result->fetch_assoc()); print "<FONT CLASS='header text_large'>Really delete " . $patient . " record '" . shorten($row['description'], 24) . "' ? </FONT><BR /><BR />"; ?> - <FORM METHOD='post' NAME='delfrm' ACTION='patient_w.php?action=delete&id=<?php print $_GET['id'];?>&ticket_id=<?php print $_GET['ticket_id'];?>&confirm=1'> + <FORM METHOD='post' NAME='delfrm' ACTION='patient_w.php?action=delete&id=<?php print intval($_GET['id']);?>&ticket_id=<?php print intval($_GET['ticket_id']);?>&confirm=1'> <SPAN ID='sub_but' CLASS='plain text' STYLE='width: 100px; float: none; display: inline-block;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.delfrm.submit();'><SPAN STYLE='float: left;'><?php print get_text('Yes');?></SPAN><IMG STYLE='float: right;' SRC='./images/submit_small.png' BORDER=0 /></SPAN> <SPAN ID='can_but' CLASS='plain text' STYLE='width: 100px; float: none; display: inline-block;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.close();'><SPAN STYLE='float: left;'><?php print get_text('Cancel');?></SPAN><IMG STYLE='float: right;' SRC='./images/cancel_small.png' BORDER=0 /></SPAN> </FORM> @@ -479,7 +479,7 @@ function set_signal(inval) { <SPAN ID='reset_but' class='plain text' style='float: right; width: 100px;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='do_lock(document.patientEd); document.patientEd.reset();'><SPAN STYLE='float: left;'><?php print get_text("Reset");?></SPAN><IMG STYLE='float: right;' SRC='./images/restore_small.png' BORDER=0></SPAN> <SPAN ID='sub_but' class='plain text' style='float: right; width: 100px;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.patientEd.submit();'><SPAN STYLE='float: left;'><?php print get_text("Next");?></SPAN><IMG STYLE='float: right;' SRC='./images/submit_small.png' BORDER=0></SPAN> </DIV> - <FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="<?php echo basename(__FILE__);?>?id=<?php print $_GET['id'];?>&ticket_id=<?php print $_GET['ticket_id'];?>&action=update"> + <FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="<?php echo basename(__FILE__);?>?id=<?php print intval($_GET['id']);?>&ticket_id=<?php print intval($_GET['ticket_id']);?>&action=update"> <TABLE BORDER="0" STYLE='margin-left: 20px; position: relative; top: 70px;'> <TR CLASS='even' > <TD CLASS='td_label text'><?php print get_text("Patient ID");?>: <font color='red' size='-1'>*</font></TD> @@ -672,7 +672,7 @@ function to_edit(id) { </script> <FORM NAME = "list_form" METHOD = "get" ACTION = "<?php echo basename(__FILE__);?>"> - <INPUT TYPE="hidden" NAME = "ticket_id" VALUE = "<?php echo $_GET['ticket_id'];?>"> + <INPUT TYPE="hidden" NAME = "ticket_id" VALUE = "<?php echo intval($_GET['ticket_id']);?>"> <INPUT TYPE="hidden" NAME = "id" VALUE = ""> <INPUT TYPE="hidden" NAME = "action" VALUE = "edit"> </FORM> @@ -752,7 +752,7 @@ function to_edit(id) { <SPAN ID='reset_but' class='plain text' style='float: right; width: 100px;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='do_asof(document.patientAdd, false) reset();'><SPAN STYLE='float: left;'><?php print get_text("Reset");?></SPAN><IMG STYLE='float: right;' SRC='./images/restore_small.png' BORDER=0></SPAN> <SPAN ID='sub_but' class='plain text' style='float: right; width: 100px;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='validate(document.patientAdd);'><SPAN STYLE='float: left;'><?php print get_text("Next");?></SPAN><IMG STYLE='float: right;' SRC='./images/submit_small.png' BORDER=0></SPAN> </DIV> - <FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);' ACTION="<?php echo basename(__FILE__);?>?ticket_id=<?php print $_GET['ticket_id'];?>&action=add"> + <FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);' ACTION="<?php echo basename(__FILE__);?>?ticket_id=<?php print intval($_GET['ticket_id']);?>&action=add"> <TABLE BORDER="0" STYLE='margin-left: 20px; position: relative; top: 70px;'> <TR CLASS='even' > <TD CLASS='td_label text text'><?php print get_text("Patient ID");?>: <font color='red' size='-1'>*</font></TD> @@ -908,9 +908,9 @@ function init() { </BODY> <FORM NAME='next_Form' METHOD='get' ACTION='<?php echo basename(__FILE__); ?>'> <INPUT TYPE='hidden' NAME='action' VALUE='list' /> -<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_GET['ticket_id'];?>' /> +<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_GET['ticket_id']);?>' /> </FORM> <FORM NAME='can_Form' ACTION="main.php"> -<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>"> +<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print intval($_GET['ticket_id']);?>"> </FORM> </HTML>
routes_i.php+4 −4 modified@@ -235,19 +235,19 @@ function doReset() { <DIV ID="directions" STYLE="width: <?php print get_variable('map_width');?>"></DIV> </TD></TR></TABLE><!-- end outer --> <FORM NAME='can_Form' ACTION="main.php"> - <INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>"> - </FORM> + <INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print intval($_GET['ticket_id']);?>"> + </FORM> <FORM NAME='routes_Form' METHOD='post' ACTION="<?php print basename( __FILE__); ?>"> <INPUT TYPE='hidden' NAME='func' VALUE='do_db'> - <INPUT TYPE='hidden' NAME='frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>'> + <INPUT TYPE='hidden' NAME='frm_ticket_id' VALUE='<?php print intval($_GET['ticket_id']); ?>'> <INPUT TYPE='hidden' NAME='frm_by_id' VALUE= "<?php print $_SESSION['user_id'];?>"> <INPUT TYPE='hidden' NAME='frm_id_str' VALUE= ""> <INPUT TYPE='hidden' NAME='frm_name_str' VALUE= ""> <INPUT TYPE='hidden' NAME='frm_status_id' VALUE= "1"> <INPUT TYPE='hidden' NAME='frm_comments' VALUE= "New"> </FORM> <FORM NAME='reLoad_Form' METHOD = 'get' ACTION="<?php print basename( __FILE__); ?>"> - <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>'> + <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_GET['ticket_id']); ?>'> </FORM> </BODY>
routes_nm.php+6 −6 modified@@ -844,7 +844,7 @@ function get_addr(){ // returns incident address </TD> </TR> </TABLE> - <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' /> + <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' /> <INPUT TYPE='hidden' NAME='unit_id' VALUE='<?php print $unit_id; ?>' /> </FORM> @@ -893,15 +893,15 @@ function get_addr(){ // returns incident address </DIV> </DIV> <FORM NAME='can_Form' ACTION="main.php"> - <INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>"/> + <INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8');?>"/> </FORM> <?php ?> <FORM NAME='routes_Form' METHOD='post' ACTION="<?php print $theAction;?>"> <INPUT TYPE='hidden' NAME='func' VALUE='do_db' /> - <INPUT TYPE='hidden' NAME='frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' /> + <INPUT TYPE='hidden' NAME='frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' /> <INPUT TYPE='hidden' NAME='frm_by_id' VALUE= "<?php print $_SESSION['user_id'];?>" /> <INPUT TYPE='hidden' NAME='frm_id_str' VALUE= "" /> <INPUT TYPE='hidden' NAME='frm_name_str' VALUE= "" /> @@ -912,7 +912,7 @@ function get_addr(){ // returns incident address <INPUT TYPE='hidden' NAME='frm_allow_dirs' VALUE = <?php print $_SESSION['allow_dirs']; ?> /> <!-- 11/21/09 --> </FORM> <FORM NAME='reLoad_Form' METHOD = 'get' ACTION="<?php print basename( __FILE__); ?>"> - <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' /> <!-- 10/25/08 --> + <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' /> <!-- 10/25/08 --> </FORM> <?php $user_level = is_super() ? 9999 : $_SESSION['user_id']; @@ -922,7 +922,7 @@ function get_addr(){ // returns incident address $al_groups = $_SESSION['user_groups']; ?> <FORM NAME='reLoad_Form' METHOD = 'get' ACTION="<?php print basename( __FILE__); ?>"> - <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' /> <!-- 10/25/08 --> + <INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' /> <!-- 10/25/08 --> </FORM> </BODY> @@ -935,7 +935,7 @@ function get_addr(){ // returns incident address function do_notify() { var theAddresses = '<?php print implode("|", array_unique($addrs));?>'; // drop dupes var theText= "ATTENTION - New Ticket: "; - var theId = '<?php print $_GET['ticket_id'];?>'; + var theId = '<?php print intval($_GET['ticket_id']);?>'; // var params = "frm_to="+ escape(theAddresses) + "&frm_text=" + escape(theText) + "&frm_ticket_id=" + escape(theId); // ($to_str, $text, $ticket_id) 10/15/08 var params = "frm_to="+ theAddresses + "&frm_text=" + theText + "&frm_ticket_id=" + theId ; // ($to_str, $text, $ticket_id) 10/15/08
search.php+1 −1 modified@@ -349,7 +349,7 @@ function TrimString(sInString) { <TABLE CELLPADDING="2" BORDER="0" STYLE = 'margin-left:80px;'> <TR CLASS = "even"> <TD VALIGN="top" CLASS="td_label text">Search for: </TD> - <TD CLASS='td_data text'><INPUT TYPE="text" SIZE="40" MAXLENGTH="255" VALUE="<?php print $post_frm_query;?>" NAME="frm_query"></TD> + <TD CLASS='td_data text'><INPUT TYPE="text" SIZE="40" MAXLENGTH="255" VALUE="<?php print htmlspecialchars($post_frm_query, ENT_QUOTES, 'UTF-8');?>" NAME="frm_query"></TD> </TR> <TR CLASS = "odd"> <TD VALIGN="top" CLASS="td_label text">In: </TD>
single.php+2 −2 modified@@ -68,7 +68,7 @@ <?php if (!(is_guest())) { ?> - <SPAN id='edit_but' class='plain text' style='float: right; vertical-align: middle; display: inline-block; width: 100px;;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.opener.parent.frames["main"].location="edit.php?id=<?php print $_GET['ticket_id'];?>";'><SPAN STYLE='float: left;'><?php print get_text("Edit");?></SPAN><IMG STYLE='float: right;' SRC='./images/edit_small.png' BORDER=0></SPAN> + <SPAN id='edit_but' class='plain text' style='float: right; vertical-align: middle; display: inline-block; width: 100px;;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.opener.parent.frames["main"].location="edit.php?id=<?php print intval($_GET['ticket_id']);?>";'><SPAN STYLE='float: left;'><?php print get_text("Edit");?></SPAN><IMG STYLE='float: right;' SRC='./images/edit_small.png' BORDER=0></SPAN> <?php } ?> @@ -78,7 +78,7 @@ if (!(empty($row_ticket))) { // 4/30/10 print do_ticket_wm($row_ticket, $the_width, FALSE, FALSE); } else { - print "<CENTER><H3>No data for Ticket # {$_GET['ticket_id']} </H3>"; + print "<CENTER><H3>No data for Ticket # " . htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8') . " </H3>"; } ?> </DIV>
single_unit.php+1 −1 modified@@ -54,7 +54,7 @@ <?php if (!(is_guest())) { ?> - <SPAN id='edit_but' class='plain' style='float: right; vertical-align: middle; display: inline-block; width: 100px;;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.opener.parent.frames["main"].location="?func=responder&edit=true&id&id=<?php print $_GET['id'];?>";'><SPAN STYLE='float: left;'><?php print get_text("Edit");?></SPAN><IMG STYLE='float: right;' SRC='./images/edit_small.png' BORDER=0></SPAN> + <SPAN id='edit_but' class='plain' style='float: right; vertical-align: middle; display: inline-block; width: 100px;;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.opener.parent.frames["main"].location="?func=responder&edit=true&id&id=<?php print intval($_GET['id']);?>";'><SPAN STYLE='float: left;'><?php print get_text("Edit");?></SPAN><IMG STYLE='float: right;' SRC='./images/edit_small.png' BORDER=0></SPAN> <?php } ?>
street_view.php+2 −2 modified@@ -37,8 +37,8 @@ function $() { // 1/19/09 var myPano; - var lat = <?php print $_GET['thelat'];?>; - var lng = <?php print $_GET['thelng'];?>; + var lat = <?php print floatval($_GET['thelat']);?>; + var lng = <?php print floatval($_GET['thelng']);?>; function do_the_view() { var the_loc = new GLatLng(lat,lng); panoramaOptions = { latlng:the_loc };
ticketsmdb_import.php+20 −20 modified@@ -150,16 +150,16 @@ function ck_frames() { </CENTER> </DIV> <FORM NAME='dodelete_Form' METHOD="post" ACTION = "ticketsmdb_import.php?mode=dodelete"> - <INPUT TYPE='hidden' NAME = 'mdbhost' VALUE="<?php print $_POST['mdbhost'];?>"/> - <INPUT TYPE='hidden' NAME = 'mdbdb' VALUE="<?php print $_POST['mdbdb'];?>"/> - <INPUT TYPE='hidden' NAME = 'mdbuser' VALUE="<?php print $_POST['mdbuser'];?>"/> - <INPUT TYPE='hidden' NAME = 'mdbpassword' VALUE="<?php print $_POST['mdbpassword'];?>" /> - <INPUT TYPE='hidden' NAME = 'mdbprefix' VALUE="<?php print $_POST['mdbprefix'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketshost' VALUE="<?php print $_POST['ticketshost'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketsdb' VALUE="<?php print $_POST['ticketsdb'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketsuser' VALUE="<?php print $_POST['ticketsuser'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketspassword' VALUE="<?php print $_POST['ticketspassword'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketsprefix' VALUE="<?php print $_POST['ticketsprefix'];?>" /> + <INPUT TYPE='hidden' NAME = 'mdbhost' VALUE="<?php print htmlspecialchars($_POST['mdbhost'], ENT_QUOTES, 'UTF-8');?>"/> + <INPUT TYPE='hidden' NAME = 'mdbdb' VALUE="<?php print htmlspecialchars($_POST['mdbdb'], ENT_QUOTES, 'UTF-8');?>"/> + <INPUT TYPE='hidden' NAME = 'mdbuser' VALUE="<?php print htmlspecialchars($_POST['mdbuser'], ENT_QUOTES, 'UTF-8');?>"/> + <INPUT TYPE='hidden' NAME = 'mdbpassword' VALUE="<?php print htmlspecialchars($_POST['mdbpassword'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'mdbprefix' VALUE="<?php print htmlspecialchars($_POST['mdbprefix'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketshost' VALUE="<?php print htmlspecialchars($_POST['ticketshost'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketsdb' VALUE="<?php print htmlspecialchars($_POST['ticketsdb'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketsuser' VALUE="<?php print htmlspecialchars($_POST['ticketsuser'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketspassword' VALUE="<?php print htmlspecialchars($_POST['ticketspassword'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketsprefix' VALUE="<?php print htmlspecialchars($_POST['ticketsprefix'], ENT_QUOTES, 'UTF-8');?>" /> </FORM> <FORM NAME='nodelete_Form' METHOD="post" ACTION = "config.php"></FORM> <?php @@ -319,16 +319,16 @@ function ck_frames() { </CENTER> </DIV> <FORM NAME='go_Form' METHOD="post" ACTION = "ticketsmdb_import.php?mode=go"> - <INPUT TYPE='hidden' NAME = 'mdbhost' VALUE="<?php print $_POST['mdbhost'];?>"/> - <INPUT TYPE='hidden' NAME = 'mdbdb' VALUE="<?php print $_POST['mdbdb'];?>"/> - <INPUT TYPE='hidden' NAME = 'mdbuser' VALUE="<?php print $_POST['mdbuser'];?>"/> - <INPUT TYPE='hidden' NAME = 'mdbpassword' VALUE="<?php print $_POST['mdbpassword'];?>" /> - <INPUT TYPE='hidden' NAME = 'mdbprefix' VALUE="<?php print $_POST['mdbprefix'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketshost' VALUE="<?php print $_POST['ticketshost'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketsdb' VALUE="<?php print $_POST['ticketsdb'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketsuser' VALUE="<?php print $_POST['ticketsuser'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketspassword' VALUE="<?php print $_POST['ticketspassword'];?>" /> - <INPUT TYPE='hidden' NAME = 'ticketsprefix' VALUE="<?php print $_POST['ticketsprefix'];?>" /> + <INPUT TYPE='hidden' NAME = 'mdbhost' VALUE="<?php print htmlspecialchars($_POST['mdbhost'], ENT_QUOTES, 'UTF-8');?>"/> + <INPUT TYPE='hidden' NAME = 'mdbdb' VALUE="<?php print htmlspecialchars($_POST['mdbdb'], ENT_QUOTES, 'UTF-8');?>"/> + <INPUT TYPE='hidden' NAME = 'mdbuser' VALUE="<?php print htmlspecialchars($_POST['mdbuser'], ENT_QUOTES, 'UTF-8');?>"/> + <INPUT TYPE='hidden' NAME = 'mdbpassword' VALUE="<?php print htmlspecialchars($_POST['mdbpassword'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'mdbprefix' VALUE="<?php print htmlspecialchars($_POST['mdbprefix'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketshost' VALUE="<?php print htmlspecialchars($_POST['ticketshost'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketsdb' VALUE="<?php print htmlspecialchars($_POST['ticketsdb'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketsuser' VALUE="<?php print htmlspecialchars($_POST['ticketsuser'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketspassword' VALUE="<?php print htmlspecialchars($_POST['ticketspassword'], ENT_QUOTES, 'UTF-8');?>" /> + <INPUT TYPE='hidden' NAME = 'ticketsprefix' VALUE="<?php print htmlspecialchars($_POST['ticketsprefix'], ENT_QUOTES, 'UTF-8');?>" /> </FORM> <?php break;
Vulnerability mechanics
Root cause
"Missing input sanitization in incs/remotes.inc.php — latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service responses are concatenated directly into SQL UPDATE and INSERT statements without parameterization or escaping."
Attack vector
An attacker who can compromise or impersonate the external GPS tracking service endpoint (InstaMapper or Google Latitude integration) sends a crafted XML or JSON response containing malicious SQL payloads in fields such as latitude, longitude, callsign, mph, altitude, or timestamp. Because these values are concatenated unsanitized into UPDATE and INSERT statements in incs/remotes.inc.php, the injected SQL is executed against the database. The attack is network-based, requires no authentication, and can manipulate responder location, tracks, and assignment tables. The patch does not include the diff for incs/remotes.inc.php, so the exact vulnerable code path is not shown in the bundle.
Affected code
The vulnerable file is incs/remotes.inc.php, which processes GPS tracking data from external services (InstaMapper and Google Latitude). The patch does not include the diff for this file, so the exact line numbers and code paths are not visible in the bundle. The commit message confirms the fix addresses SQL injection in this file by sanitizing latitude, longitude, callsign, mph, altitude, and timestamp values before they are used in UPDATE and INSERT statements.
What the fix does
The commit message states that the SQL injection in incs/remotes.inc.php was fixed, but the bundle does not contain the actual diff for that file. The patch instead shows 69 reflected XSS fixes across 22 other files (e.g., ticketsmdb_import.php, delete_module.php, os_watch.php, patient_w.php, routes_nm.php, db_loader.php, routes_i.php, patient_JF.php) where raw $_GET/$_POST values were wrapped with htmlspecialchars(), intval(), or floatval(). For the SQL injection specifically, the commit message notes that a similar issue in incs/mail_form.php line 536 was fixed by wrapping $_GET['ticket_id'] with intval(), suggesting the same approach (type casting or parameterized queries) was applied to incs/remotes.inc.php.
Preconditions
- networkAttacker must be able to compromise or impersonate the external GPS tracking service endpoint (InstaMapper or Google Latitude) that Open ISES Tickets queries for location data.
- configThe application must have the GPS tracking integration feature enabled and configured to fetch data from the external service.
Generated on May 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.