get_new_username() does not escape string used in SQL call

Bug #534172 reported by Evan Goldenberg
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Critical
Evan Goldenberg
1.0
Critical
Evan Goldenberg
1.1
Critical
Evan Goldenberg

Bug Description

Line 1217 in lib/user.php on master. The result of the call to substr is not escaped before being used in a SQL call. This means that if a user registers with a single quote in their name (such as Patty O'Furniture), a SQL error will be caused. This could allow someone to execute arbitrary SQL by specifying a name that begins with ';

A solution would be to use a placeholder in the offending SQL string.

Only affects Mahara 1.2 from the registration page, but the offending code is also used for xmlrpc functionality, which is present in earlier versions. In auth/xmlrpc/lib.php line 217 on master, if $remoteuser->username contained a single quote, the same problem would occur.

CVE References

Revision history for this message
Evan Goldenberg (naveg) wrote :

The get_new_username() function is present from 1.0 onward.

Revision history for this message
Evan Goldenberg (naveg) wrote :

fixed on the security repo in branches master, 1.2_STABLE, 1.1_STABLE, 1.0_STABLE

Changed in mahara:
assignee: nobody → Evan Goldenberg (naveg)
status: New → Fix Committed
Changed in mahara:
milestone: none → 1.2.4
importance: Undecided → Critical
Changed in mahara:
status: Fix Committed → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers