I am finding a Blind SQL Injection issue with K2. This seems serious to me and my customer who ran the security scan will hold up production and wants me to make this a formal report.
I have a simple use case, consider the URL
/component/k2/itemlist/filter?moduleId=699&Itemid=905
This is a fairly typical URL to search for a list
Now add this code in the middle %20%2B%20(SELECT%200%20FROM%20(SELECT%20SLEEP(28))qsqli_1111)%20&
This forms the URL
/component/k2/itemlist/filter?moduleId=699 %2B (SELECT 0 FROM (SELECT SLEEP(29))qsqli_1111) &Itemid=905
This will also "work" but has a significant delay whilst it sleeps, lower the number in the sleep statement and it sleeps less. Seems to me a clear opening for an injection error.
I do not believe this is a result of the K2 Search and Filter module used to create the initial URL because even if those modules are unpublished the basic url's still work, that module simply looks them up and builds them from user selections. So to me this is a k2 issue and possible a joomla core issue if you guys use the same parts. In any event can someone look into this???

Hi. This URL is not part of K2. You can try it in a site with just K2 ( no other K2 related modules ) to verify what i am saying. I suggest that you contact the developers of these extensions and let them know about the issue as soon as possible.