#3598 closed Defect (fixed)
potential sql injection vulnerability in members
| Reported by: | heurix@… | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | Elgg 1.8.0 |
| Component: | Members | Version: | 1.8 Beta |
| Severity: | critical | Keywords: | sql injection |
| Cc: | brett@… | Difficulty: | trivial |
Description (last modified by cash)
In mod/members/pages/members/search.php, there is a potential sql injection vulnerability on $name (line 22: $name = get_input('name'). It needs to be santized before being passed to the 'wheres' array.
Change History (3)
comment:1 Changed 2 years ago by cash
comment:2 Changed 2 years ago by Cash Costello
- Resolution set to fixed
- Status changed from new to closed
Fixes #3598 sanitizing the $name variable
Changeset: 49853b53578ea3254543020e553b29a7a33ab0af
comment:3 Changed 11 months ago by cash
- Description modified (diff)
- Milestone changed from Elgg 1.8.x to Elgg 1.8.0
Note: See
TracTickets for help on using
tickets.
Thanks for the report. I had just noticed that yesterday while pointing someone to the code!