Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.6.15, 4.7.6
-
Component/s: CiviCRM API
-
Security Level: Security - Published
-
Labels:None
-
Documentation Required?:None
-
Funding Source:Contributed Code
Description
During the follow-up on CRM-17983 , i discovered that the api is vulnerable to SQL injection too.
$result = civicrm_api3('Participant', 'get', array(
'sequential' => 1,
'options' => array('sort' => "sleep(1)"),
));
All versions since 4.3 are vulnerable (I looked on Github, so probably even before), but not all calls in every version are vulnerable (e.g. calls using \Civi\API\SelectQuery are not vulerable)
Because of the fixes since CRM-17983, the fix is quite simple in 4.7.
In 4.6 it needs some more work as all the CRM_Utils_Type have to be backported yet.
Validation should happen in _civicrm_api3_get_options_from_params
https://github.com/civicrm/civicrm-core/blob/d98d744dc8dca72f88570dfb22eecee47ec9624c/api/v3/utils.php#L831
Escaping should happen in _civicrm_api3_get_query_object
https://github.com/civicrm/civicrm-core/blob/d98d744dc8dca72f88570dfb22eecee47ec9624c/api/v3/utils.php#L669
I will provide a patch to fix 4.6 and 4.7, I'm not sure if other versions should be fixed too.