Closed Bug 620568 Opened 15 years ago Closed 15 years ago

SQL injection vulnerability in contact page @ intlstore.mozilla.org

Categories

(Websites :: intlstore.mozilla.org, defect)

Product:
Websites
Component:
intlstore.mozilla.org
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: haidary, Assigned: u242531)

Details

(Keywords: reporter-external, Whiteboard: [infrasec:sqlinject][ws:critical])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729) Build Identifier: Due to insufficient escaping of user account data, it's possible to inject an SQL payload in an address field and have it injected when submitting the contact form. Reproducible: Always Steps to Reproduce: 1.Create an account at intlstore.mozilla.org and log in. 2.Go to /address_book.php and either add a new address or edit an existing one. 3.In the "Company" field enter a string that includes a single quote (ex. foo') and save changes. 4.Go to /contact_us.php and click the forms send button to see the SQL insert error. A dump of what is returned to the browser in my test. Note the unescaped quote after "foo". - ERROR IN SQL INSERT INTO customer_enquiries (customers_id, title, customers_name, company, address_1, address_2, town, state, postcode, country, customers_email_address, customers_telephone, ipaddress, date_made, last_updated, store_id) VALUES ('65300','Please Choose - Order Number: ','John Doe', 'foo'', '1234 Main St.', '', 'calistoga', '', '94515', '223', 'doe@mailinator.com', '7775551212','1262310938','2010-12-20 23:39:12','2010-12-20 23:39:12','4')
OS: Windows Vista → All
Hardware: x86 → All
Whiteboard: [infrasec:sqlinject][ws:critical]
Verified, there also appears to be other fields that are vulnerable. I'm looking for the code.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #1) > Verified, there also appears to be other fields that are vulnerable. I'm > looking for the code. looks like all the fields are vulnerable and there also seems to be a char limit for each field @jslater, can we get some feedback from the vendor on this one or get us a contact that we can reach out to?
Andy, can you get this fixed? Thanks!
Assignee: jslater → andy
Andy, can you help here? Or at least weigh in with a status update? @clyon, I had emailed the vendor separately when David originally notified me about this, but it looks like they haven't responded yet. Will ping them again.
Hi, I have added sanitize code to all the variables taken from the users account details before inserting into the database and this fixes the issue. Thanks Andrew
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
@Damon, this issue is resolve and since this issue involved people's information, it is being evaluated for the Web Bug Bounty. chofmann will be in contact about the bounty.
Summary: SQL injection vulnerability in contact page → SQL injection vulnerability in contact page @ intlstore.mozilla.org
Flags: sec-bounty+
Group: websites-security
You need to log in before you can comment on or make changes to this bug.