CIVI-SA-2013-004 - Limited SQL Injection via Quick Search API
CiviCRM v4.2.0 - v4.2.9, v4.3.0 - v4.3.3
CiviCRM v4.2.10 and v4.3.4
The "Quick Search" bar in CiviCRM v4.3 includes a backend for processing search requests which is split in two layers. Both layers may be accessed remotely by backend users with permission "access CiviCRM." A malicious user may bypass one layer (which performs SQL validation/escaping) and call the second layer directly (thus bypassing SQL validation/escaping).
Note: The scope of the SQL injection is limited compared to a typical SQL injection because CiviCRM's SQL API does not accept SQL queries with multiple statements. Consequently:
- Attackers cannot inject new SQL statements involving INSERT, UPDATE, DELETE, ALTER, etc.
- An attacker can inject a sub-SELECT to implicitly reveal data from unrelated SQL tables.
- An attacker can inject an inline variable-assignment ("SELECT @some_mysql_session_var := 2").
- Upgrade to CiviCRM 4.2.10 or 4.3.4+
- Tim Otten (CiviCRM LLC)
- Coleman Watts (CiviCRM LLC)