Our result set sort ordering capabilities can currently be used as a SQL injection vector. Many screens take their sort ordering from the
hidden field "sort" from the previous screen. This field can be abused, but is normally used by $form->sort_order and $form->sort_columns in the creation of the textual 'ORDER BY' component of many SL/LSMB queries.
A simple 1.2 demonstration:
1) Go to "Goods & Services"->"Reports"->"Groups"
2) Edit the hidden value "sort", change it from "partsgroup" to "partsgroup; select id, username as partsgroup from users; --"
3) Put something in the search field.
4) Click continue
In my testing I get the user list instead of the group list, even though what I put in the search field matches every partsgroup I have. I get the group list if I leave the search field blank.