Description
Four files build LIKE clauses by direct string interpolation after passing filter through sanitize_search_string. That function does not strip %, _, or \, so a user can craft wildcard patterns for timing-based inference or excessive result set expansion.
Affected Files
mactrack_view_devices.php lines 159-162mactrack_view_sites.php lines 96-100mactrack_macauth.php lines 222-223mactrack_sites.php lines 294-298
Suggested Fix
Use db_qstr('%' . get_request_var('filter') . '%') matching the pattern already used correctly in mactrack_view_macs.php, mactrack_view_arp.php, and mactrack_view_dot1x.php.
Description
Four files build LIKE clauses by direct string interpolation after passing
filterthroughsanitize_search_string. That function does not strip%,_, or\, so a user can craft wildcard patterns for timing-based inference or excessive result set expansion.Affected Files
mactrack_view_devices.phplines 159-162mactrack_view_sites.phplines 96-100mactrack_macauth.phplines 222-223mactrack_sites.phplines 294-298Suggested Fix
Use
db_qstr('%' . get_request_var('filter') . '%')matching the pattern already used correctly inmactrack_view_macs.php,mactrack_view_arp.php, andmactrack_view_dot1x.php.