Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-19562

Contact "send mail" : potential SQLi due to lack of input validation

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Important
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.7.12
          • Fix Version/s: 4.6.24, 4.7.14
          • Component/s: Core CiviCRM
          • Security Level: Security - Published
          • Labels:
            None
          • Versioning Impact:
            Patch (backwards-compatible bug fixes)
          • Documentation Required?:
            None
          • Funding Source:
            Contributed Code

            Description

            How to reproduce:

            • Go to a contact record
            • middle-click on "Actions -> Send email" (so that it opens in a new tab)
            • Disable javascript
            • Enter "foo@example.org" in the "To" field.
            • Click submit.

            Result: SQL error.

            SQL snippet:

            "SELECT contact_a.id as contact_id, contact_a.sort_name as `sort_name`, [...] WHERE ( ( contact_a.id IN (2,foo@example.org ) ) ) LIMIT 0, 2"

            #17 /var/aegir/platforms/civicrm-4.7/sites/all/modules/civicrm/CRM/Utils/Token.php(1243): CRM_Contact_BAO_Query::apiQuery((Array:2), (Array:7), NULL, NULL, 0, 2)
            #18 /var/aegir/platforms/civicrm-4.7/sites/all/modules/civicrm/CRM/Contact/Form/Task/EmailCommon.php(234): CRM_Utils_Token::getTokenDetails((Array:2), (Array:7), FALSE, FALSE)
            #19 /var/aegir/platforms/civicrm-4.7/sites/all/modules/civicrm/CRM/Contact/Form/Task/Email.php(154): CRM_Contact_Form_Task_EmailCommon::buildQuickForm(Object(CRM_Contact_Form_Task_Email))
            #20 /var/aegir/platforms/civicrm-4.7/sites/all/modules/civicrm/CRM/Core/Form.php(548): CRM_Contact_Form_Task_Email->buildQuickForm()
            #21 /var/aegir/platforms/civicrm-4.7/sites/all/modules/civicrm/CRM/Core/QuickForm/Action/Upload.php(126): CRM_Core_Form->buildForm()
            #22 /var/aegir/platforms/civicrm-4.7/sites/all/modules/civicrm/packages/HTML/QuickForm/Controller.php(203): CRM_Core_QuickForm_Action_Upload->perform(Object(CRM_Contact_Form_Task_Email), "upload")
            #23 /var/aegir/platforms/civicrm-4.7/sites/all/modules/civicrm/packages/HTML/QuickForm/Page.php(103): HTML_QuickForm_Controller->handle(Object(CRM_Contact_Form_Task_Email), "upload")

            In CRM/Contact/Form/Task/EmailCommon.php, the contact IDs for TO/CC/BCC do not seem to be validated?

            https://github.com/civicrm/civicrm-core/blob/master/CRM/Contact/Form/Task/EmailCommon.php#L230

            Quick link for the "send mail" on the demo site:
            http://dmaster.demo.civicrm.org/civicrm/activity/email/add?action=add&reset=1&cid=128&selectedChild=activity&atype=3

            To disable javascript, in Firefox you can do F12, then click on the "gear" icon. In the "advanced parameters" there is an option to disable javascript for the current tab.

            Issue discovered by Marc Brazeau.

              Attachments

                Activity

                  People

                  • Assignee:
                    timotten Tim Otten
                    Reporter:
                    mlutfy Mathieu Lutfy
                    Authorized Participants:
                    Marc Brazeau
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: