Headline
CVE-2022-4871: Fixed SQL injection issue in _Load_Users · ummmmm/nflpick-em.com@dd77a35
A vulnerability classified as problematic was found in ummmmm nflpick-em.com up to 2.2.x. This vulnerability affects the function _Load_Users of the file html/includes/runtime/admin/JSON/LoadUsers.php. The manipulation of the argument sort leads to sql injection. The attack can be initiated remotely. The name of the patch is dd77a35942f527ea0beef5e0ec62b92e8b93211e. It is recommended to apply a patch to fix this issue. VDB-217270 is the identifier assigned to this vulnerability. NOTE: JSON entrypoint is only accessible via an admin account
@@ -6,19 +6,19 @@ public function execute() { $sort = Functions::Post( ‘sort’ ); $direction = Functions::Post( ‘direction’ );
if ( !$this->_Load_Users( $sort, $direction, $users ) ) { return $this->setDBError(); return false; }
foreach( $users as &$loaded_user ) { $loaded_user[ ‘last_on’ ] = Functions::FormatDate( $loaded_user[ ‘last_on’ ] ); $loaded_user[ ‘current_place’ ] = Functions::Place( $loaded_user[ ‘current_place’ ] ); $loaded_user[ ‘current_place’ ] = Functions::Place( $loaded_user[ ‘current_place’ ] ); }
return $this->setData( $users ); return $this->setData( $users ); }
// Helper functions @@ -28,6 +28,25 @@ private function _Load_Users( $sort, $direction, &$users ) $db_weeks = new Weeks( $this->_db ); $current = $db_weeks->Current(); $direction = ( $direction === ‘asc’ ) ? ‘ASC’ : 'DESC’;
switch ( $sort ) { case ‘name’ : case ‘current_place’ : case ‘last_on’ : case ‘paid’ : case ‘failed_logins’ : case ‘active_sessions’ : case ‘remaining’ : { break; } default : { return $this->setError( array( '#Error#’, ‘Invalid sort’ ) ); } }
$sql = "SELECT u.*, CONCAT( u.fname, ' ', u.lname ) AS name, @@ -45,6 +64,12 @@ private function _Load_Users( $sort, $direction, &$users ) u.id ORDER BY {$sort} {$direction}"; return $this->_db->select( $sql, $users, $current );
if ( !$this->_db->select( $sql, $users, $current ) ) { return $this->setDBError(); }
return true; } }