Closed Bug 811578 Opened 9 years ago Closed 9 years ago

Possible SQL Injection

Categories

(Websites :: wiki.mozilla.org, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Michael1026, Unassigned)

Details

(Whiteboard: [site:wiki.mozilla.org])

User Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11



Actual results:

If you go to this page: https://wiki.mozilla.org/api.php?action=sfautocomplete&relation=Has_author=sleep(2)=0'&substr=tenull
you receive an error page consisting of ""internal_api_error_DBQueryError" info="Database query error"" which I believe is a MySQL error.

This page does not contain an error: https://wiki.mozilla.org/api.php?action=sfautocomplete&relation=Has_author=sleep(2)=0&substr=tenull

This would show that it's vulnerable to a SQLi.
Group: websites-security
Whiteboard: [site:wiki.mozilla.org]
I don't see the error described in this bug at the first URL, in fact both URLs produce the same generic XML.

Not sure if this was ever valid, but I'll give it the benefit of the doubt and close it as fixed by the upgrade.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: websites-security
You need to log in before you can comment on or make changes to this bug.