New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API SQL Injection #2099
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@connortechnology can you confirm if this is still the case or it have been fixed at some point and forgotten to update the issue ? |
Definitely a problem - from the demo site (zmuser/zmpass), try this link https://demo.zoneminder.com/zm/api/events/index/Id%20=%201%20OR%201=:1.json It should show no rows (since that isn't a valid ID), but instead it shows all rows. Anyone could use this to execute more complex SQL, which potentially could include deleting or modifying events, triggering alarms, adding users, changing permissions, running shell code, etc. |
Any news about this vulnerability? |
Nothing has been done about it. Please note that this is only a vulnerability if you do not use authentication. You have to be logged in to do this.. So use authentication. |
@pliablepixels Does zmNinja do any API queries with |
I don't use OR or similar, but I do use a lot of nested paths like
|
OK, yeah, that is fine. I won't limit how many path segments there are. Side note: I just found the docs for CakePHP Complex Find Conditions and it specifically warns about this kind of SQLi:
Looks like it's too late to listen to that if we don't want to break all consumers… we'll just have to do our own sanitization. |
@pliablepixels Do you ever include the table name in your query e.g. |
@mnoorenberghe not to my knowlege. That being said, once you are done with the changes I'll pull and test. But to this specific question, I'm pretty sure I don't use table names anywhere. I don't remember, however, if there are other applications of "." inside a query |
API is vulnerable to SQL injections via so called "named parameters" ( https://book.cakephp.org/2.0/en/development/routing.html#named-parameters ).
In the
EventsController::index()
andMonitorsController::index()
methods (located inweb/api/app/Controller/EventsController.php
andweb/api/app/Controller/MonitorsController.php
),$this->request->params['named']
is directly being used as conditions forModel::find()
calls, and unless named parameters are explicitly whitelisted ( https://book.cakephp.org/2.0/en/development/routing.html#controlling-named-parameters ), arbitrary values can be passed, which means that it's possible to define the key side of the conditions array, which is where CakePHP accepts plain SQL.Here's a basic example for testing purposes:
This will result in an conditions array that looks like
which will subsequently generate the following SQL:
Named parameters should either be whitelisted on router level, either per route ( https://book.cakephp.org/2.0/en/development/routing.html#per-route-named-parameters ), or globally via
Router::connectNamed()
, ie every possible column/operator combination (likeId >=
,Id <=
,Id =
, etc...) needs to be registered, or they should be validated against whitelists manually accordingly.The above example has been tested against the latest release and the master branch, using the release and the development docker files ( https://github.com/ZoneMinder/zmdockerfiles ).
The text was updated successfully, but these errors were encountered: