CIVI-SA-2016-19 Order By clause in API not properly being validated

Published
2016-11-18 21:50
Written by
seamuslee - member of the CiviCRM community - view blog guidelines

When generating an API query, the ORDER BY clause for some entities was not correctly validated and escaped. This may have permitted data disclosure via time-based blind SQL attacks.

This is mitigated by the fact that attacks would require API access to exploit the vulnerability.

Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions
  • 4.7.13 and earlier
  • 4.6.23 and earlier
Fixed Versions
  • 4.7.14
  • 4.6.24
Solutions
  • Upgrade to the latest CiviCRM version
  • Apply the following patch if you cannot upgrade: https://github.com/civicrm/civicrm-core/pull/9343
Credits

Mattias Michaux for reporting the issue

Seamus Lee for fixing the issue

References