Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Important
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.7.16, 4.6.26
-
Component/s: Drupal Integration Modules
-
Security Level: Security - Published
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Contributed Code
-
Verified?:Yes
Description
Reported by John Kingsnorth as follows. I have replicated today on current dmaster.
---8<---
I think I’ve just come across an SQL injection vulnerability with custom field values.
Summary and scope:
CiviCRM with Drupal Views is vulnerable to SQL injection in the ‘values’ of custom field options due to mishandling of apostrophes. The scope may be broader, if CiviCRM also mishandles the apostrophes when running queries, or in non-multi-select cases, but I have not been able to replicate this yet.
It is exploitable on sites that have multi-value custom fields, by users with permissions to create/edit custom field options.
Steps to recreate:
Starting with a plain installation of CiviCRM and Drupal 7 (with Views enabled)
Add a set of custom fields: ‘Fields’ used for ‘Contacts’
Add a field: ‘Foo’, Alphanumeric, CheckBox, Create a new set of options…
· Label: Safe // Value: Safe
· Label: Unsafe // Value: '))) OR 1=1 OR ((( 1='
Add the new table to the DB definitions in settings.php
Go to Drupal > Structure > Views > Add View
View name: ‘Injection’, Show ‘CiviCRM Contacts’, continue and edit
Add a Filter ‘CiviCRM Custom: Fields: Foo’
· Expose the filter
· Default options
· Apply
When the filter is used with ‘safe’ specified: 0 results, expected, no contacts have the value
When the filter is used with ‘unsafe’ specified: all contacts returned, unexpected, SQL has been injected:
SELECT civicrm_contact.id AS id
FROM
civicrm_contact
LEFT JOIN
civicrm_value_fields_11 ON civicrm_contact.id = civicrm_value_fields_11.entity_id
WHERE (( (civicrm_value_fields_11.foo_27 LIKE '%'))) OR 1=1 OR ((( 1='%' ) ))
LIMIT 10 OFFSET 0
---8<---