Contrib.social

The module allows direct enter of SQL queries in the UI

Open on Drupal.org →
Created on 15 May 2023, almost 2 years ago
Updated 16 May 2023, almost 2 years ago

Problem/Motivation

User interface allows to enter SQL query. I know the module is not covered by advisory policy but this needs to be addressed and people should not use this module due to the vulnerability.

Steps to reproduce

1. Install the module
2. Navigate to /admin/config/people/cool_user_extras
3. Write DELETE statement
4. Basically you can delete anything. Even connect from one site to another and delete data in the remote database.

Proposed resolution

1. Probably the whole idea needs to be reconsidered and implemented in a much safer way.

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇺🇸United States minnur San Francisco

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @minnur
  • Comment almost 2 years ago
    🇺🇸United States minnur San Francisco
  • Comment almost 2 years ago
    🇪🇸Spain intersarsi

    Thank you for reviewing the module.

    I'm agree with you, this is not the best refined and secure way.

    However, there are two aspects that any administrator/developer have to to keep in mind:

  • In the section where we can write a SQL stament, only is accessible by who has the role administrator.
  • The user that is used to connect against foreign/remote database only should just have privileges to:
  • Doing SELECT queries only in the necessary/specific tables.
  • Allow stablish connection only from necessary/specific host.

    • Perhaps offering the option to configure a SSH tunnel it would improve the security. But at this moment I don't know if it is possible using the Drupal API and PHP.

    I will thinking about. Any contribution will be welcome to make the module more secure.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024