Please disregard the 'View article...' shown at the bottom of many posts as this is the result of restoring old forum posts from a backup.

Maybe potential SQL injection

edited November 2016 in Security
I found two potential SQL injections. 

0x1 > framework/modules/eaas/controllers/eaasController.php , $key can becontrolled. And in the line 33 of framework/core/models/expConfig.php,$this->location_data can be controlled and injected. It is possible to boolean-based blind SQL Inject by the param of apikey. 

[Suggest Fix]: parent::__construct($db->selectValue($this->table, 'id', "location_data='".expString::escape($this->location_data)."'"));

 0x2. In the function activate_address of the file framework/modules/addressbook/controllers/addressController.php, $this->params['is_what'] can be controlled and injected. It is possible to do time-based SQL inject by the param 'is_what'. 
Although there is expString::escape filter, it can be bypass like is_what= "firstname=0x61 where sleep(10)-- a". 

[Suggest Fix]: $is_what should be existed columns ;

Sorry, the previous one is down. I post again.

Comments

  • I found two potential SQL injections.

    0x1 > framework/modules/eaas/controllers/eaasController.php , $key can becontrolled. And in the line 33 of framework/core/models/expConfig.php,$this->location_data can be controlled and injected. It is possible to boolean-based blind SQL Inject by the param of apikey.

    [Suggest Fix]: parent::__construct($db->selectValue($this->table, 'id', "location_data='".expString::escape($this->location_data)."'"));

     0x2. In the function activate_address of the file framework/modules/addressbook/controllers/addressController.php, $this->params['is_what'] can be controlled and injected. It is possible to do time-based SQL inject by the param 'is_what'.
    Although there is expString::escape filter, it can be bypass like is_what= "firstname=0x61 where sleep(10)-- a".

    [Suggest Fix]: $is_what should be existed columns ;

    Sorry, the previous one is down. I post again.
  • Please be patient, we are attempting to address over 3 dozen reports, many of which are duplicates.
Sign In or Register to comment.