Skip to content
Snippets Groups Projects

Security: SQL Injection

    • Closed Issue created by Nilay Khatri @nilay.automatesmb

    Examples of SQL Injection: modules\Campaigns\models\Relation.php updateStatus modules\Settings\Leads\models\Mapping.php save() modules\Settings\Picklist\models\Module.php updateSequence() modules\Vtiger\models\Block.php updateSequenceNumber() modules\Vtiger\models\Relation.php updateRelationSequenceAndPresence

    Designs

    Child items ...

    • Activity

    • Uma
      Uma @uma.s ·
      Guest

      @nilay.automatesmb Can you please get more details on this issue?

    • Nilay Khatri
      Nilay Khatri @nilay.automatesmb ·
      Author

      @uma.s I hope that you are aware of these issues being reported by Blazej in the vtiger developer emailing list.

      I would request you to respond on the email thread. Blazej can give more inputs on this, as they have already researched on them.

      I would be also assisting as much as I can.

      modules\Campaigns\models\Relation.php updateStatus:

      Use of concatenation instead of parameterized query-

      $updateQuery = "UPDATE $tableName SET campaignrelstatusid = CASE

      fieldName";foreach(fieldName "; foreach (
      statusDetails as $relatedRecordId => $status) { $updateQuery .= " WHEN $relatedRecordId THEN $status "; }

      modules\Settings\Leads\models\Mapping.php save():

      Use of concatenation instead of parameterized query- $db->pquery("UPDATE vtiger_convertleadmapping $leadQuery, $accountQuery, $contactQuery, $potentialQuery WHERE editable = ?", array(1));

      modules\Settings\Picklist\models\Module.php updateSequence(): Use of concatenation instead of parameterized query-

      query=UPDATE.query = 'UPDATE '.
      this->getPickListTableName(
      pickListFieldName).SETsortorderid=CASE;foreach(pickListFieldName).' SET sortorderid = CASE '; foreach(
      picklistValues as $values => $sequence) {
      query.=WHEN.query .= ' WHEN '.
      primaryKey.'="'.
      values.'" THEN "'.
      sequence.'"'; } $query .= ' END';

      modules\Vtiger\models\Block.php updateSequenceNumber(): Use of concatenation instead of parameterized query-

      query = 'UPDATE vtiger_blocks SET sequence = CASE blockid '; foreach (
      sequenceList as $blockId => $sequence){
      query .=' WHEN '.
      blockId.' THEN '.$sequence; }

      modules\Vtiger\models\Relation.php updateRelationSequenceAndPresence: Use of concatenation instead of parameterized query-

      $query = 'UPDATE vtiger_relatedlists SET sequence=CASE ';

      relation_ids = array(); foreach(
      relatedInfoList as $relatedInfo){ $relation_id = $relatedInfo['relation_id']; $relation_ids[] = $relation_id; $sequence = $relatedInfo['sequence']; $presence = $relatedInfo['presence'];
      query .= ' WHEN relation_id='.
      relation_id.' THEN '.$sequence; } $query.= ' END , ';
      query.= ' presence = CASE '; foreach(
      relatedInfoList as $relatedInfo){ $relation_id = $relatedInfo['relation_id']; $relation_ids[] = $relation_id; $sequence = $relatedInfo['sequence']; $presence = $relatedInfo['presence'];
      query .= ' WHEN relation_id='.
      relation_id.' THEN '.$presence; }

    • Prasad Status changed to closed by commit 534d0b7e

      Status changed to closed by commit 534d0b7e

    • Uma mentioned in merge request !367 (merged)

      mentioned in merge request !367 (merged)

    • Uma Milestone changed to 7.2.0

      Milestone changed to 7.2.0

    Please register or sign in to reply

    Copyright 2023 Vtiger. All rights reserved.