Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-21442

Possible (but unlikely) SQL injection in activity processing

    Details

    • Type: Bug
    • Status: Won't Do
    • Priority: Trivial
    • Resolution: Won't Do
    • Affects Version/s: 4.7.27
    • Fix Version/s: None
    • Component/s: CiviCase, CiviMail
    • Labels:
      None
    • Versioning Impact:
      Patch (backwards-compatible bug fixes)
    • Documentation Required?:
      None
    • Funding Source:
      Needs Funding
    • Verified?:
      No

      Description

      Around line 607 in CRM/Activity/BAO/Activity.php it does something like this:

       

      if (preg_match('/[case #([0-9a-h]{7})]/', CRM_Utils_Array::value('subject', $params), $matches)) {
            $key = CRM_Core_DAO::escapeString(CIVICRM_SITE_KEY);
            $hash = $matches[1];
            $query = "SELECT id FROM civicrm_case WHERE SUBSTR(SHA1(CONCAT('$key', id)), 1, 7) = '$hash'";
            $caseParams = array(
              'activity_id' => $activity->id,
              'case_id' => CRM_Core_DAO::singleValueQuery($query),

       

      The $hash variable is injected without escaping. Since the subject line is user-input, it can't be trusted. The problem is mitigated by the fact that the variable will either be empty or match the pattern described in the preg_match(), and I can't think of a possible pattern there that would create a vulnerability, but somebody maybe smarter could.

      Simplest fix is probably do the same as is does for $key:

      $query = "SELECT id FROM civicrm_case WHERE SUBSTR(SHA1(CONCAT('$key', id)), 1, 7) = '" . CRM_Core_DAO::escapeString($hash) . "'";

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              demeritcowboy Dave D
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: