Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RCE Vulnerability in Beekeeper Studio #1051

Closed
sharpleung opened this issue Feb 21, 2022 · 6 comments
Closed

RCE Vulnerability in Beekeeper Studio #1051

sharpleung opened this issue Feb 21, 2022 · 6 comments
Labels

Comments

@sharpleung
Copy link

sharpleung commented Feb 21, 2022

author: Gqliang@Hillstone
Date: 2022-02-21

  • Display fields are not filtered allowing arbitrary code to be inserted
  • eg:
    image-20220221143022289
  • We can fake a MYSQL server so that any SQL statement executed when the user connects will execute the remote code we expect
  • exp: https://github.com/sharpleung/beekeeper-studio/blob/main/index.php
  • run this exp program
  • eg : image-20220221151853462
  • As long as you execute any SELECT query on the program, the vulnerability will be triggered to execute arbitrary remote code. Of course it's not just that.
  • eg:
  • image-20220221152601854
@rathboma
Copy link
Collaborator

Let me investigate this. It is supposed to escape output, but I'll make sure it does.

@rathboma
Copy link
Collaborator

I have a fix in. I was escaping table VALUES, but not table HEADERS.

There's a build in progress, can you take a look when it's done to see if you can break it again?

build artifacts will appear here > https://github.com/beekeeper-studio/beekeeper-studio/actions/runs/1877329726

Also you've just reminded me I need a security@ email for reporting vulnerabilities.

@rathboma
Copy link
Collaborator

@sharpleung
Copy link
Author

@sharpleung can you double check this build for me? https://github.com/beekeeper-studio/beekeeper-studio/actions/runs/1877329726

Sorry, I didn't see the message because of the time difference. ok i'll check again.

@sharpleung
Copy link
Author

sharpleung commented Feb 22, 2022

@rathboma After checking, we believe the vulnerability has been fixed. We will actively contact you if we discover other security issues in the future.Thanks! :)

@rathboma
Copy link
Collaborator

Thank you! I'll push out a release tomorrow with this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants