Hi all,
Our webshop is running on D7.37 and Views 3.11 (commerce kickstart 2.24)
The shop is certified yearly, which means each year it undergoes a security scan.
From this security scan, it seems that the pager's "items per page" parameter is causing a high risc 150003 SQL injection thread.
This is a demo:
good working url: https://www.smarthomesupply.nl/philips-hue/veelgestelde-vragen?items_per...
url with payload: https://www.smarthomesupply.nl/philips-hue/veelgestelde-vragen?items_per...
difference between these urls: "items_per_page=5" vs "items_per_page=1e309"
The error response coming from the second url is
"SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-9223372036854775808' at line 2"
Is this a valid threat?
Thanks for your support and a great module :)
Sincerely, Leon
Comments
Comment #1
elsteff1385 CreditAttribution: elsteff1385 as a volunteer commentedComment #2
elsteff1385 CreditAttribution: elsteff1385 as a volunteer commentedComment #3
JvE CreditAttribution: JvE at One Shoe commentedDoesn't look like a vulnerability.
1e309 is scientific notation for the first number that is larger than the allowed maximum in PHP (depending on platform).
So the number overflows into a large negative number.
In the query this is probably matched against an unsigned field, thus causing an error.
Comment #4
MustangGB CreditAttribution: MustangGB commentedComment #5
MustangGB CreditAttribution: MustangGB commentedClosing this as outdated to tidy up a bit around here. If you're still having problems with the latest release please create a new issue.