CIVI-SA-2013-004 - Limited SQL Injection via Quick Search API

Security Risk: 
Less Critical
SQL Injection
Affected Versions: 

CiviCRM v4.2.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions: 

CiviCRM v4.2.10 and v4.3.4

Publication Date: 
Monday, June 10, 2013

The "Quick Search" bar in CiviCRM v4.3 includes a backend for processing search requests which is split in two layers. Both layers may be accessed remotely by backend users with permission "access CiviCRM." A malicious user may bypass one layer (which performs SQL validation/escaping) and call the second layer directly (thus bypassing SQL validation/escaping).

Note: The scope of the SQL injection is limited compared to a typical SQL injection because CiviCRM's SQL API does not accept SQL queries with multiple statements. Consequently:

  • Attackers cannot inject new SQL statements involving INSERT, UPDATE, DELETE, ALTER, etc.
  • An attacker can inject a sub-SELECT to implicitly reveal data from unrelated SQL tables.
  • An attacker can inject an inline variable-assignment ("SELECT @some_mysql_session_var := 2").
  • Upgrade to CiviCRM 4.2.10 or 4.3.4+
  • Tim Otten (CiviCRM LLC)
  • Coleman Watts (CiviCRM LLC)