FUEL CMS 1.5.2 allows SQL Injection via parameter 'id' in fuel/modules/fuel/controllers/Blocks.php
bcvgh opened this issue · 2 comments
login required.
fuel/modules/fuel/controllers/Blocks.php
line 64 import_view method starts
Line 70 receives the id parameter of the post request and enters the import method
fuel/modules/fuel/libraries/Fuel_blocks.php
Then enter the find_by_key method on line 307
Because the find_by_key method does not exist, enter the __call method of the current object
Enter line 4421 of MY_Model.php, pass parameters to $this->db->where() method
At this time, the external input string is spliced into the SQL statement through the $this->db->where() method, But at this time, the external input will be surrounded by single quotes because of codeigniter's safe processing of the where method, so the injection has not yet been caused..
Until line 4450, the user's external input is stored in the $other_args array at this time, and has not been processed safely
Enter the $this->db->order_by() method, at this time the external input is spliced into the sql statement again, and there is no single quotation mark included
Finally, the $this->db->get() method executes the database command, causing sql injection
sqlmap:
Thank you for the detailed report @bcvgh. I've pushed a fix for that issue which I believe was caused by the find_by_name method call (find_by_key method does exist).
Yes, my expression was incorrect. What I want to say is that there is a vulnerability in the find_by_name method