Text only | Text with Images

VirtueMart Forum

VirtueMart 2 + 3 + 4 => Virtuemart Development and bug reports => Topic started by: silke on June 04, 2016, 22:06:08 PM

Title: Currency Update in Backend results in SQL error
Post by: silke on June 04, 2016, 22:06:08 PM
Hi,

please check the data validation for the currency name update in the backend listing (administrator/index.php?option=com_virtuemart&view=currency). E.g. including a quote will result in an error (see below). Even if this is "only" available in the backend, that type of error "breaks the page" (in client speach), so please check/fix the input validation.

Thanks ahead,
Silke


QuoteAn error has occurred.

    1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'United States dollar">USD</span>" AND `virtuemart_currency_id`!=144' at line 1 SQL=SELECT `currency_name` FROM `#__virtuemart_currencies` WHERE `currency_name` = "<span title="United States dollar">USD</span>" AND `virtuemart_currency_id`!=144
Title: Re: Currency Update in Backend results in SQL error
Post by: Milbo on June 06, 2016, 12:39:29 PM
Quote from: silke on June 04, 2016, 22:06:08 PM
Even if this is "only" available in the backend, that type of error would in general qualify for sql injections, so please check/fix the input validation.

Uhhm,... any evidence for that? I doubt. If you read the code, then you see a line in the function which prevents it. Furthermore there are more checks which provents it.

LICET IOVI NON LICET BOVI
Title: Re: Currency Update in Backend results in SQL error
Post by: Studio 42 on June 06, 2016, 20:13:25 PM
Max :
Code Select
"<span title="United States dollar">USD</span>"
This should never be possible.
See https://docs.joomla.org/Secure_coding_guidelines#Secure_strings to correctly escape it.
Title: Re: Currency Update in Backend results in SQL error
Post by: Milbo on June 07, 2016, 11:59:05 AM
Patrick, as long you do not talk about

- the vRequest used to filter the input (non admins cannot use html)
- the ACL controlling who is allowed to use the currency store method

I see that you did not take a look yourself. Of course it can be simply fixed. But it is not a security issue, except your admin is compromised. The store method is the one of the normal vmTable, so it is should be already escaped.

I just tested it, and in my case the use of " does not break the db, it just is not correctly displayed in the edit view, but correctly displayed in the list.
Title: Re: Currency Update in Backend results in SQL error
Post by: silke on June 07, 2016, 12:19:03 PM
Hi Milbo,

thanks for the update. I tested the behaviour on a fresh installation and it breaks / throws the error as well. So you indicate it is related to the superuser privilege, but I presume it should be fixed nevertheless as it simply means that the procedure breaks.

BR,
Silke
Title: Re: Currency Update in Backend results in SQL error
Post by: silke on June 07, 2016, 20:15:29 PM
Hi Milbo,

thanks for the 3.0.17 preview as well. That was a quick reaction and solution :-)

Best regards,
Silke
Text only | Text with Images