SS-2017-008: SQL injection in full text search of SilverStripe 4
- Severity:
- Critical (?)
- Identifier:
- ss-2017-008
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
- Versions Fixed:
- 3.5.6, 3.6.3, 4.0.1
- Release Date:
- 2017-12-07
When performing a fulltext search in SilverStripe 4.0.0 the 'start' querystring parameter is never escaped safely. This exposes a possible SQL injection vulnerability.
The issue exists in 3.5 and 3.6 but is less vulnerable, as SearchForm sanitises these variables prior to passing to mysql.
Reported by Stephan Bauer