#3799 closed Defect (worksforme)
sql injection, error in your SQL syntax;
| Reported by: | plet | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Needs Review |
| Component: | Core | Version: | 1.7 |
| Severity: | minor | Keywords: | |
| Cc: | brett@… | Difficulty: |
Description
This is what i received from a hacker. I use Release - 1.7.7, Versie - 2010071002 (I know I need to update):
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[sql])) AND ( (e.access_id IN (2)
OR (e.owner_guid = -1)
OR (
e.acces' at line 7
QUERY: SELECT count(DISTINCT e.guid) as total FROM elgg_entities e JOIN elgg_metadata md on e.guid = md.entity_guid JOIN elgg_metastrings msn on md.name_id = msn.id JOIN elgg_metastrings msv on md.value_id = msv.id WHERE (msn.string IN ("tags","interests","location","skills") AND msv.string = 'someword' AND ( (md.access_id IN (2)
OR (md.owner_guid = -1)
OR (
md.access_id = 0
AND md.owner_guid = -1
)
) and md.enabled='yes')) AND (e.site_guid IN (1)) AND (e.container_guid IN (7826[sql])) AND ( (e.access_id IN (2)
OR (e.owner_guid = -1)
OR (
e.access_id = 0
AND e.owner_guid = -1
)
) and e.enabled='yes')
Change History (2)
comment:1 Changed 21 months ago by cash
- Resolution set to worksforme
- Status changed from new to closed
comment:2 Changed 21 months ago by cash
Specifically - upgrade to 1.7.11 (or 1.7.12 when it is released).
Please upgrade to the latest release.