Skip to:
Content

Opened 9 years ago

Closed 9 years ago

#1223 closed defect (bug) (fixed)

Filters in SQL without proper quote escaping

Reported by: rvenable Owned by: apeatling
Milestone: 1.1.2 Priority: blocker
Severity: Version:
Component: Keywords: security, sql injection, needs-patch
Cc: Jason_JM

Description

There are multiple instances in the code for user-input filters where the filter string is not properly escaped. All use the like_escape() function (included in WP), but from I can tell, that function does not prevent SQL injection.

bp-blogs-classes.php:
In BP_Blogs_Blog::search_blogs(): lines 205 and 208

bp-friends-classes.php:
In BP_Friends_Friendship::search_friends(): lines 168, 169, 171, 172
In BP_Friends_Friendship::search_users(): lines 233, 235
In BP_Friends_Friendship::search_users_count(): lines 255, 257

bp-groups-classes.php:
In BP_Groups_Group::filter_user_groups(): lines 262, 263
In BP_Groups_Group::search_groups(): lines 285, 286
In BP_Groups_Group::get_recently_joined(): line 702
In BP_Groups_Group::get_most_popular(): line 722
In BP_Groups_Group::get_recently_active(): line 742
In BP_Groups_Group::get_alphabetically(): lines 762
In BP_Groups_Group::get_is_admin_of(): line 782
In BP_Groups_Group::get_is_mod_of(): line 802

Change History (8)

#1 @rvenable
9 years ago

Also, the like_escape() function returns its value, but that returned value isn't actually being used.

#2 @DJPaul
9 years ago

  • Keywords needs-patch added

Good catch with the like_escape.

#3 @apeatling
9 years ago

  • Summary changed from Filters are often used in SQL without proper quote escaping (possible injection vulnerability) to Filters in SQL without proper quote escaping

#4 @Jason_JM
9 years ago

  • Keywords security added

#5 @Jason_JM
9 years ago

  • Cc Jason_JM added
  • Owner set to apeatling
  • Priority changed from critical to blocker
  • Status changed from new to assigned

This absolutely must get fixed *ASAP*

I will take care of the rest of the criticals so Andy can work on this.

#6 @apeatling
9 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [2047]) Fixes #1223

#7 @DJPaul
9 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Could I just get something clarified? Unless I am misreading, like_escape() returns a value, it doesn't do it by reference, so the returned values aren't actually being used? Thanks.

#8 @apeatling
9 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [2052]) Fixes #1223 props DJPaul

Note: See TracTickets for help on using tickets.