SQL injection vulnerability?

[TStip]

I did a test on http://demo.fabrikar.com/index.php/inline-edit/form/7/1
If I add "a' or 1=1--" to the package a parameter, this will be included in the command when saving the form.

Is this a SQL vulnerability?

 

[troester]

Which Fabrik version?

It's possible to select different packages in Fabrik but it seems you are not running a recent version.

 

[TStip]

I have this exact problem on my site with Joomla 3.3.6 and Fabrik 3.3.1
But the example in this thread is from the demo.fabrikar.com site.

 

[troester]

With your string "a' or 1=1--" and Fabrik since Fabrik3.3 I get
Table 'j33.zita1_aor11--_lists' doesn't exist SQL=SHOW FULL COLUMNS FROM `zita1_aor11--_lists`
e.g.
the string is sanitized (quotes, =, spaces filtered out).
So if you really get the unsanitized string I think you are not running Fabrik3.3.1

It seems demo.fabrikar.com is running an old Fabrik version.
http://fabrikar.com/blog/88-fabrik-the-joomla-application-builder-version-3-3-released

 

[TStip]

Hi troester,

No I get on my site also a sanitized string.
So I can therefore assume that this is not really a SQL injection problem?