[CRM-21442] Possible (but unlikely) SQL injection in activity processing - CiviCRM Issue Tracker

Details

Type: Bug
Status: Won't Do
Priority: Trivial
Resolution: Won't Do
Affects Version/s: 4.7.27
Fix Version/s: None
Component/s: CiviCase, CiviMail
Labels:
None

Versioning Impact:
Patch (backwards-compatible bug fixes)
Documentation Required?:
None
Funding Source:
Needs Funding
Verified?:
No

Description

Around line 607 in CRM/Activity/BAO/Activity.php it does something like this:

if (preg_match('/[case #([0-9a-h]{7})]/', CRM_Utils_Array::value('subject', $params), $matches)) {
      $key = CRM_Core_DAO::escapeString(CIVICRM_SITE_KEY);
      $hash = $matches[1];
      $query = "SELECT id FROM civicrm_case WHERE SUBSTR(SHA1(CONCAT('$key', id)), 1, 7) = '$hash'";
      $caseParams = array(
        'activity_id' => $activity->id,
        'case_id' => CRM_Core_DAO::singleValueQuery($query),

The $hash variable is injected without escaping. Since the subject line is user-input, it can't be trusted. The problem is mitigated by the fact that the variable will either be empty or match the pattern described in the preg_match(), and I can't think of a possible pattern there that would create a vulnerability, but somebody maybe smarter could.

Simplest fix is probably do the same as is does for $key:

$query = "SELECT id FROM civicrm_case WHERE SUBSTR(SHA1(CONCAT('$key', id)), 1, 7) = '" . CRM_Core_DAO::escapeString($hash) . "'";

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Dave D

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2017-11-17 2:37

Updated:

2017-11-17 12:58

Resolved:

2017-11-17 12:58