We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Admin URL SQL injection

August 18, 2014 7:38am

Subscribe [2]

  • #1 / Aug 18, 2014 7:38am

    willtonkin

    1 posts

    Hi,

    I’ve had a site penetration tested and one piece of feedback was that SQL injection is possible via the entry_id query parameter from admin entry_form URLs.

    For example:

    http://{domain}/admin/index.php?/cp/content_publish/entry_form?channel_id=9&entry_id=70% 20AND% 20SLEEP% 281% 29
    (remove SPACES and replace {domain})

    Will issue a SLEEP command to SQL. You have to be logged in to perform this but anyone able to edit entries will be able to execute commands.

    Is this worth raising as a bug and if so, any thoughts where I should start when creating a quick patch in the meantime, would be greatly appreciated?

    Thanks

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register