News:

Support the VirtueMart project and become a member

Main Menu

Currency Update in Backend results in SQL error

Started by silke, June 04, 2016, 22:06:08 PM

Previous topic - Next topic

silke

Hi,

please check the data validation for the currency name update in the backend listing (administrator/index.php?option=com_virtuemart&view=currency). E.g. including a quote will result in an error (see below). Even if this is "only" available in the backend, that type of error "breaks the page" (in client speach), so please check/fix the input validation.

Thanks ahead,
Silke


QuoteAn error has occurred.

    1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'United States dollar">USD</span>" AND `virtuemart_currency_id`!=144' at line 1 SQL=SELECT `currency_name` FROM `#__virtuemart_currencies` WHERE `currency_name` = "<span title="United States dollar">USD</span>" AND `virtuemart_currency_id`!=144

Milbo

Quote from: silke on June 04, 2016, 22:06:08 PM
Even if this is "only" available in the backend, that type of error would in general qualify for sql injections, so please check/fix the input validation.

Uhhm,... any evidence for that? I doubt. If you read the code, then you see a line in the function which prevents it. Furthermore there are more checks which provents it.

LICET IOVI NON LICET BOVI
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Studio 42

Max :
"<span title="United States dollar">USD</span>"
This should never be possible.
See https://docs.joomla.org/Secure_coding_guidelines#Secure_strings to correctly escape it.

Milbo

Patrick, as long you do not talk about

- the vRequest used to filter the input (non admins cannot use html)
- the ACL controlling who is allowed to use the currency store method

I see that you did not take a look yourself. Of course it can be simply fixed. But it is not a security issue, except your admin is compromised. The store method is the one of the normal vmTable, so it is should be already escaped.

I just tested it, and in my case the use of " does not break the db, it just is not correctly displayed in the edit view, but correctly displayed in the list.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

silke

Hi Milbo,

thanks for the update. I tested the behaviour on a fresh installation and it breaks / throws the error as well. So you indicate it is related to the superuser privilege, but I presume it should be fixed nevertheless as it simply means that the procedure breaks.

BR,
Silke

silke

Hi Milbo,

thanks for the 3.0.17 preview as well. That was a quick reaction and solution :-)

Best regards,
Silke