812722 - SQL Injection on https://developer-old.mozilla.org

Status: RESOLVED INVALID

(developer.mozilla.org :: Security, defect)

Description

[Michael Blake]

User Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Steps to reproduce:

Simply enter ' into the username and password boxes on: https://developer-old.mozilla.org/forums/ucp.php?mode=login&sid=05564e6ae0d3784c3f41c402d9b70218


Actual results:

I received this mySQL error:

[phpBB Debug] PHP Notice: in file /includes/auth/auth_mdc.php on line 122: mysqli::prepare() [mysqli.prepare]: Couldn't fetch mysqli
[phpBB Debug] PHP Notice: in file /includes/auth/auth_mdc.php on line 129: mysqli::close() [mysqli.close]: Couldn't fetch mysqli

Comment 1

[Andre Klapper]

Well, if I go to https://developer-old.mozilla.org/forums/ucp.php?mode=login and enter "whatever" as password and username I get exactly the same output. So I'm not sure where you identified the potential for an injection exactly.

Comment 2

[Michael Blake]

 actually just noticed this too. Either way, even if it's not an injection, still a bug.

Comment 3

[John Karahalis [:openjck]]

Pretty sure this is not related to SQL injection, but David (cc'd) can confirm.

More importantly, this is not the main version of the Mozilla Developer Network. This is just an old version of the site that we have lying around for reference.

I will make sure this site is not indexed by search engines in the future and will look into other ways of making it clear that it is not our main website.

Comment 4

[David Walsh :davidwalsh]

We should talk about taking this site down tomorrow, or password-protecting it with htaccess.  There's no reason for it to be public.