this is the one year old Drupal bug sending panic waves through Drupal land

yep nearly one year old 

nothing happened untill somebody throught that it was interesting to use in an attack 

"

Database ExpandArguments placeholder naming issues when using array

 

 

When expading array argument in query, current code uses the array key values themselves to generate the query placeholders.

This poses 3 problems:

[1] Low degree of "repetitivity" between queries, that difficults implementation of advanced query caching. In SQL Server driver we are using regex all the time to manipulate queries.

[2] User can easily crash the query if it includes no placeholder-valid characters (alphanumeric + underscore) in the keys passed in the argument. So, this will break the query:

$params[':nids'] = array(
'uid1' => 5,
'what a bad placeholder name why should we care ?¿?' => 6,
);

db_query('SELECT UID FROM USERS WHERE USERS.UID IN (:nids)', $params);

[3] Posible door open for SQL injection?

I've tried for a while with someting like this:

$params[':nids'] = array(
'ok' => 5,
'ok2) OR (1=1) OR 5 IN (5' => 6,
'ok2' => 7
);

db_query('SELECT UID FROM USERS WHERE USERS.UID IN (:nids)', $params);

But I am running SQL Server and the only why I can think of exploiting this would be using duplicate placeholder, wich MySQL swallows but SQL Server complains about. Maybe someone with MySQL can give a try and see if it can make it work.

Anyways, I don't understand why it is using the array keys passed by the user to generate the placeholders, makes no sense to me.

I've moved this into MAJOR due to points [2] and [3], feel free to downgrade.


https://www.drupal.org/node/2146839

The comments are closed.