CIVI-SA-2013-004 - Limited SQL Injection via Quick Search API

The "Quick Search" bar in CiviCRM v4.3 includes a backend for processing search requests which is split in two layers. Both layers may be accessed remotely by backend users with permission "access CiviCRM." A malicious user may bypass one layer (which performs SQL validation/escaping) and call the second layer directly (thus bypassing SQL validation/escaping).

Note: The scope of the SQL injection is limited compared to a typical SQL injection because CiviCRM's SQL API does not accept SQL queries with multiple statements. Consequently:

Attackers cannot inject new SQL statements involving INSERT, UPDATE, DELETE, ALTER, etc.
An attacker can inject a sub-SELECT to implicitly reveal data from unrelated SQL tables.
An attacker can inject an inline variable-assignment ("SELECT @some_mysql_session_var := 2").

Security Risk

Less Critical

Vulnerability

SQL Injection

Affected Versions

CiviCRM v4.2.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions

CiviCRM v4.2.10 and v4.3.4

Solutions

Upgrade to CiviCRM 4.2.10 or 4.3.4+

Credits

Tim Otten (CiviCRM LLC)
Coleman Watts (CiviCRM LLC)

References

http://issues.civicrm.org/jira/browse/CRM-12765

CVE

CVE-2013-4662

CIVI-SA-2013-004 - Limited SQL Injection via Quick Search API

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2013-004 - Limited SQL Injection via Quick Search API

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM