Headline
CVE-2008-10004: fixed a protential source of SQL injection · drupalprojects/email_registration@126c141
A vulnerability was found in Email Registration 5.x-2.1. It has been declared as critical. This vulnerability affects the function email_registration_user of the file email_registration.module. The manipulation of the argument namenew leads to sql injection. The attack can be initiated remotely. Upgrading to version 6.x-1.0 is able to address this issue. The name of the patch is 126c141b7db038c778a2dc931d38766aad8d1112. It is recommended to upgrade the affected component. VDB-222334 is the identifier assigned to this vulnerability.
@@ -13,8 +13,8 @@ function email_registration_user($op, &$edit, &$account, $category = NULL) {
// if username generated from email record already exists, append underscore and number eg:(chris_123)
if (db_result(db_query("SELECT count(*) FROM {users} WHERE uid <> %d AND LOWER(name) = LOWER(‘%s’)", $account->uid, $namenew)) > 0) {
// find the next number available to append to the name
$sql = "SELECT SUBSTRING_INDEX(name,’_’,-1) FROM {users} WHERE name REGEXP ‘^%s_[0-9]+$’ ORDER BY CAST(SUBSTRING_INDEX(name,’_’,-1) AS UNSIGNED) DESC LIMIT 1";
$nameidx = db_result(db_query($sql, $namenew));
$sql = "SELECT SUBSTRING_INDEX(name,’_’,-1) FROM {users} WHERE name REGEXP ‘%s’ ORDER BY CAST(SUBSTRING_INDEX(name,’_’,-1) AS UNSIGNED) DESC LIMIT 1";
$nameidx = db_result(db_query($sql, ‘^’. $namenew .’_[0-9]+$’));
$namenew .= '_’. ($nameidx + 1);
}
// replace with generated username