Thread

Hey all, I recently ran McAfee site scan on a clients website and there appears to be a MAJOR hole in EE. It returned a PHP Code Injection vulnerability on the following form: /member/memberlist/

[[Mod Edit: Removed code]]

Our client is running EE 1.6.8, I would upgrade but I don’t see any reference to a fix for this in 1.6.9 change logs.

Thank you for the report.  I have brought your post to the attention of our team to assess this.

I would recommend updating to 1.6.9 as well.

Thank you.

Thanks for the quick response. The problem lies in the pagination links at the bottom of the page. In my initial research it appears to be the $first_letter variable being sent to the Pagination class, line 604 of member_memberlist.php. But I cannot find where its getting the $_POST values. Hope that helps in troublshooting.

Thanks. As Lisa said, our devs are looking into this.

Any update? This is a serious security issue that we need to get patched. Thanks.

Sorry for not getting back to you mklann.  While there was the potential to trigger a MySQL error, your demonstrated attack cannot result in SQL injection, nor script injection.

Member templates do not parse PHP unless you have hacked your installation to do so, and ExpressionEngine is not responsible for vulnerabilities created by such modifications.  I’m not sure what McAfee reported, but the result of what you submitted on an unmodified installation would break the pagination links for the user who tried to inject code, and nothing more.

Nevertheless, your report was greatly appreciated and did directly contribute to making ExpressionEngine better, so we thank you.

Received your updated post, mklann, thank you.  Our fix does address this, but you are indeed correct, thanks for the specifics.

Derek, when is the fix going to be released? We are using EE 1.6.9, can you guys please release a security update?

mklann, please check the email associated with your ExpressionEngine.com account.