get_new_username() does not escape string used in SQL call
Bug #534172 reported by
Evan Goldenberg
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
Critical
|
Evan Goldenberg | ||
| 1.0 |
Fix Released
|
Critical
|
Evan Goldenberg | ||
| 1.1 |
Fix Released
|
Critical
|
Evan Goldenberg | ||
Bug Description
Line 1217 in lib/user.php on master. The result of the call to substr is not escaped before being used in a SQL call. This means that if a user registers with a single quote in their name (such as Patty O'Furniture), a SQL error will be caused. This could allow someone to execute arbitrary SQL by specifying a name that begins with ';
A solution would be to use a placeholder in the offending SQL string.
Only affects Mahara 1.2 from the registration page, but the offending code is also used for xmlrpc functionality, which is present in earlier versions. In auth/xmlrpc/lib.php line 217 on master, if $remoteuser-
CVE References
Revision history for this message
| Evan Goldenberg (naveg) wrote | #1 |
Revision history for this message
| Evan Goldenberg (naveg) wrote | #2 |
| Changed in mahara: | |
| assignee: | nobody → Evan Goldenberg (naveg) |
| status: | New → Fix Committed |
| Changed in mahara: | |
| milestone: | none → 1.2.4 |
| importance: | Undecided → Critical |
| Changed in mahara: | |
| status: | Fix Committed → Fix Released |
| visibility: | private → public |
To post a comment you must log in.
The get_new_username() function is present from 1.0 onward.