PHP MySQLi Database Class 2.9.2 SQL Injection

2019.03.19
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

https://packagist.org/packages/joshcam/mysqli-database-class aka https://github.com/ThingEngineer/PHP-MySQLi-Database-Class v2.9.2 is vulnerable to SQL injection in functon Where() because of special "forkaround" at line 971 <https://github.com/ThingEngineer/PHP-MySQLi-Database-Class/blob/eaf1f6cc387c8464ea6a9221fb308669beed3a63/MysqliDb.php#L971> If $whereValue happens to be an array, key value is used as $operator to build query. However typical usage of the class looks like: $db->where('ID', $_POST['id']); $name = $db->getValue('USERS', 'name'); The $whereValue is usually untrusted and if there are no additional checks like is_numeric($_POST['id']) an attacker may inject his statements. For example: id[= ? or 1=1 --]=0(Url encoded version for HTTP POST: id%5B%3D%20%3F%20or%201%3D1%20--%5D=0) Timeline: 08-03-2019 Sent and email to a.butenka at gmail.com and josh.lee.campbell at gmail.com 13-03-2019 No response, created public GitHub issue <https://github.com/ThingEngineer/PHP-MySQLi-Database-Class/issues/823>. The maintainer replies "not a bug". 13-03-2019 Full disclosure list. Regards, Jaroslav LobaAevski


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top