Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove more special characters from sql query #107

Closed
whohoho opened this issue Mar 22, 2018 · 9 comments
Closed

remove more special characters from sql query #107

whohoho opened this issue Mar 22, 2018 · 9 comments
Assignees
@JohnMcLear @Pita

Comments

@whohoho
Copy link

whohoho commented Mar 22, 2018
edited

There is a bug in etherpad-lite that allows you to download all pads.

They pointed out that this might be a bug in ueberDB.

Here some special characters get removed.
https://github.com/Pita/ueberDB/blob/5c2ef4dc1476ef24bc475885817816c3e602ec8b/mysql_db.js#L133

_ (and possible more) is a special character as well.

See:
https://dev.mysql.com/doc/refman/5.7/en/pattern-matching.html
ether/etherpad-lite#3169
@whohoho whohoho changed the title escape more characters remove more special characters from sql query Mar 22, 2018
@whohoho whohoho mentioned this issue Mar 22, 2018
Closed
@ghost
Copy link

ghost commented Mar 22, 2018

Since the use of pattern matching (MySQL, etc) / regular expressions (dirtydb) may be a wanted behavior, it would be great to implement an escape method for each supported database so clients (eg. etherpad-lite) can apply it on user-controlled data.

@JohnMcLear
Copy link
Member

Responsible disclosure.....

@ghost
Copy link

ghost commented Mar 22, 2018
edited by ghost

This issue already public on etherpad repository for months :-/ By the way, I tried to contact you about this subject (but not only) two days ago by email.

@JohnMcLear
Copy link
Member

Did your email bounce? Did you get a response? I haven't seen anything... ;\ I have been handling other CVE and Security related topics successfully over the previous months with no major problems.

@JohnMcLear
Copy link
Member

JohnMcLear commented Mar 23, 2018
edited

Just so understand the scope of this bug:

  1. Allows user to request downloading all pad contents. Most times it will fail due to, so large instances are safe from privacy concerns but can easily be DoS'd.
  2. Has affected all instances since we used UeberDB w/ MySQL [4+ years].
  3. Only affects instances running MySQL/PostgreSQL/SQLite [needs confirmation]

Steps to replicate.

  1. Bring up Etherpad instance
  2. Configure that instance to use MySQL
  3. Create two pads, one with a * in the padId (Other special characters IE % and _ should be tested too) For example.. "testHello" and "test*"
  4. Attempt to Export (HTML?) the Pad with a * in the padId
  5. Etherpad will download all pads.. Profit?

I am going to bring up an instance now to test on.

FAQ:

  1. Is DirtyDB effected? No.

@ghost
Copy link

ghost commented Mar 23, 2018
edited by ghost

Did your email bounce? Did you get a response?

No and no :-/ Tried your personal email and contact@etherpad.org.

@JohnMcLear
Copy link
Member

JohnMcLear commented Mar 23, 2018
edited

I'm unable to replicate this bug on latest windows release.. See my steps to replicate above.

http://127.0.0.1:9001/p/test%/export/html returns an error, doesn't dump any user data.
http://127.0.0.1:9001/p/test_/export/html behaves as it should (exports test_ document contents)

@ghost
Copy link

ghost commented Mar 23, 2018

This issue is worse than this and I can provide you a working proof-of-concept, but not here in public.

@JohnMcLear
Copy link
Member

Email me it please :) I'm at my desk right now..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JohnMcLear JohnMcLear

@Pita Pita

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JohnMcLear @Pita @whohoho