Hi all,

Our webshop is running on D7.37 and Views 3.11 (commerce kickstart 2.24)

The shop is certified yearly, which means each year it undergoes a security scan.

From this security scan, it seems that the pager's "items per page" parameter is causing a high risc 150003 SQL injection thread.

This is a demo:
good working url: https://www.smarthomesupply.nl/philips-hue/veelgestelde-vragen?items_per...
url with payload: https://www.smarthomesupply.nl/philips-hue/veelgestelde-vragen?items_per...

difference between these urls: "items_per_page=5" vs "items_per_page=1e309"

The error response coming from the second url is
"SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-9223372036854775808' at line 2"

Is this a valid threat?

Thanks for your support and a great module :)

Sincerely, Leon

Comments

elsteff1385’s picture

Issue summary: View changes
elsteff1385’s picture

Issue summary: View changes
JvE’s picture

Doesn't look like a vulnerability.

1e309 is scientific notation for the first number that is larger than the allowed maximum in PHP (depending on platform).
So the number overflows into a large negative number.
In the query this is probably matched against an unsigned field, thus causing an error.

MustangGB’s picture

Priority: Major » Normal
MustangGB’s picture

Status: Active » Closed (outdated)

Closing this as outdated to tidy up a bit around here. If you're still having problems with the latest release please create a new issue.