-
Notifications
You must be signed in to change notification settings - Fork 464
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection Vulnerability in api /api/v1/containers #19500
Labels
Changelog: Documented
Merged
OKR : Security & Privacy
Owned by Mehdi
QA : Approved
QA : Passed Internal
Release : 5.2.8.5
Release : 5.3.8.5
Included in LTS patch release 5.3.8.5
Release : 20.10.1
Type : Defect
Comments
wezell
added a commit
that referenced
this issue
Oct 27, 2020
wezell
added a commit
that referenced
this issue
Oct 27, 2020
dsilvam
pushed a commit
that referenced
this issue
Oct 28, 2020
* #18605 pauses and then unpauses based on a cache invalidation * #18605 adding ttl to the cache put in the logger * #18605 less logging * #19500 sanitize sql * #19500 fixes potential sql vunerabilities * #19500 writing tests * #19500 tests * we should not need TLS set to true * #19500 removing unneeded files
Note to QA:
|
Passed Internal QA: |
Fixed, tested on release-20.10.1 // Postgres // FF |
dsilvam
added a commit
that referenced
this issue
Nov 4, 2020
* Update dotcmsReleaseVersion and coreWebReleasion version * update release version * #18505 JSONTool does not return sub arrays * #18505 now the JSONTool uses the Jackson to map the string json as a single Maps and Lists * #18505 now the JSONTool uses the Jackson to map the string json as a single Maps and Lists * #19364 Unable to edit category permissions as limited user even you have full rights * #18314 Make Query Tool Use fetch() to fill response * #19098 SAML update logout page. (#19450) * include css in jsp * label updated * Updating sql files (#19478) * Updating sql files to remove contraints * Updating sql files to remove contraints * #18690 Allow Push publish just for enterprise license in the receiver (#19492) * #18690 Allow Push publish just for enterprise license in the receiver * testing * Fixing test * Issue 19500 sql injection containers (#19501) * #18605 pauses and then unpauses based on a cache invalidation * #18605 adding ttl to the cache put in the logger * #18605 less logging * #19500 sanitize sql * #19500 fixes potential sql vunerabilities * #19500 writing tests * #19500 tests * we should not need TLS set to true * #19500 removing unneeded files * #19338 dont lowercase (#19506) * #19338 dont lowercase * #19338 integration test * #19338 missing test resource * #19509 use proper db columm in query (#19510) * #19509 use proper db columm in query * #19509 use proper property from contentlet * #19509 fix integration test * #19509 fix integration test * #19471 Use proper value when discarding conflicts (#19519) * #18780 fixes job when new hostname starts with original hostname (#19522) * #19509 Fixing bug when use comma in host's name (#19528) * #19509 Fixing bug when use comma in host's name * Fixing test * update core-web version * merge with master * Update .gitmodules * Update gradle.properties Co-authored-by: Jonathan <jonathan.sanchez@dotcms.com> Co-authored-by: erickgonzalez <erick.gonzalez@dotcms.com> Co-authored-by: hmoreras <31667212+hmoreras@users.noreply.github.com> Co-authored-by: Freddy Rodriguez <freddy0309@gmail.com> Co-authored-by: Will Ezell <will@dotcms.com>
swicken-dotcms
added a commit
that referenced
this issue
May 13, 2021
swicken-dotcms
added a commit
that referenced
this issue
May 13, 2021
swicken-dotcms
added
Release : 5.2.8.5
Release : 5.3.8.5
Included in LTS patch release 5.3.8.5
labels
May 13, 2021
rweiner
added
Changelog: Needs Doc
Changelog: Documented
and removed
Changelog: Needs Doc
labels
May 14, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Changelog: Documented
Merged
OKR : Security & Privacy
Owned by Mehdi
QA : Approved
QA : Passed Internal
Release : 5.2.8.5
Release : 5.3.8.5
Included in LTS patch release 5.3.8.5
Release : 20.10.1
Type : Defect
api : /api/v1/containers
Is vulnerable to SQL injection, by the parameter ‘orderby’ in url.
As the pictures above shows,
orderby=title;%20SELECT%20PG_SLEEP(2)%20-- , it took 2 seconds to receive the response from server
orderby=title;%20SELECT%20PG_SLEEP(5)%20-- , it took 5 seconds to receive the response from server
Then I read through the code that I download from github(version 5.3.6.1), I found that the parameter will form SQL without sterilization (yeah, you have designed SQLUtil.sanitizeSortBy to prevent SQL injection, but in this case, the vulnerable API didn't call SQLUtil.sanitizeSortBy)
I tried to attack the project by sqlmap(a tool to detect and exploit SQL injection), and here is the result that sqlmap gave me:
tables that the project contains:
columns that the table called ‘adminconfig’ contains:
It’s obviously that there is SQL injection in your program.
The text was updated successfully, but these errors were encountered: