SQL Injection Vulnerability in api /api/v1/containers #19500

xiaozhicai · 2020-10-27T01:40:55Z

api : /api/v1/containers
Is vulnerable to SQL injection, by the parameter ‘orderby’ in url.

As the pictures above shows,
orderby=title;%20SELECT%20PG_SLEEP(2)%20-- , it took 2 seconds to receive the response from server
orderby=title;%20SELECT%20PG_SLEEP(5)%20-- , it took 5 seconds to receive the response from server

Then I read through the code that I download from github(version 5.3.6.1), I found that the parameter will form SQL without sterilization (yeah, you have designed SQLUtil.sanitizeSortBy to prevent SQL injection, but in this case, the vulnerable API didn't call SQLUtil.sanitizeSortBy）

I tried to attack the project by sqlmap(a tool to detect and exploit SQL injection), and here is the result that sqlmap gave me:
tables that the project contains:

columns that the table called ‘adminconfig’ contains:

It’s obviously that there is SQL injection in your program.

* #18605 pauses and then unpauses based on a cache invalidation * #18605 adding ttl to the cache put in the logger * #18605 less logging * #19500 sanitize sql * #19500 fixes potential sql vunerabilities * #19500 writing tests * #19500 tests * we should not need TLS set to true * #19500 removing unneeded files

wezell · 2020-10-28T18:54:50Z

Note to QA:

test creating templates, layouts, pages
test searching for templates, containers (from a page, from the portlets, from the layout editor)
test host copy

dsilvam · 2020-10-30T19:21:55Z

Passed Internal QA: sortOrder param getting sanitized and functionality above working as expected.

bryanboza · 2020-10-30T22:44:03Z

Fixed, tested on release-20.10.1 // Postgres // FF

* Update dotcmsReleaseVersion and coreWebReleasion version * update release version * #18505 JSONTool does not return sub arrays * #18505 now the JSONTool uses the Jackson to map the string json as a single Maps and Lists * #18505 now the JSONTool uses the Jackson to map the string json as a single Maps and Lists * #19364 Unable to edit category permissions as limited user even you have full rights * #18314 Make Query Tool Use fetch() to fill response * #19098 SAML update logout page. (#19450) * include css in jsp * label updated * Updating sql files (#19478) * Updating sql files to remove contraints * Updating sql files to remove contraints * #18690 Allow Push publish just for enterprise license in the receiver (#19492) * #18690 Allow Push publish just for enterprise license in the receiver * testing * Fixing test * Issue 19500 sql injection containers (#19501) * #18605 pauses and then unpauses based on a cache invalidation * #18605 adding ttl to the cache put in the logger * #18605 less logging * #19500 sanitize sql * #19500 fixes potential sql vunerabilities * #19500 writing tests * #19500 tests * we should not need TLS set to true * #19500 removing unneeded files * #19338 dont lowercase (#19506) * #19338 dont lowercase * #19338 integration test * #19338 missing test resource * #19509 use proper db columm in query (#19510) * #19509 use proper db columm in query * #19509 use proper property from contentlet * #19509 fix integration test * #19509 fix integration test * #19471 Use proper value when discarding conflicts (#19519) * #18780 fixes job when new hostname starts with original hostname (#19522) * #19509 Fixing bug when use comma in host's name (#19528) * #19509 Fixing bug when use comma in host's name * Fixing test * update core-web version * merge with master * Update .gitmodules * Update gradle.properties Co-authored-by: Jonathan <jonathan.sanchez@dotcms.com> Co-authored-by: erickgonzalez <erick.gonzalez@dotcms.com> Co-authored-by: hmoreras <31667212+hmoreras@users.noreply.github.com> Co-authored-by: Freddy Rodriguez <freddy0309@gmail.com> Co-authored-by: Will Ezell <will@dotcms.com>

xiaozhicai added the Type : Defect label Oct 27, 2020

wezell added OKR : Security & Privacy Owned by Mehdi Release : 20.10.1 labels Oct 27, 2020

wezell added a commit that referenced this issue Oct 27, 2020

#19500 sanitize sql

10a7a6b

wezell added a commit that referenced this issue Oct 27, 2020

#19500 fixes potential sql vunerabilities

cce6934

wezell added a commit that referenced this issue Oct 27, 2020

#19500 writing tests

dbd2b78

wezell added a commit that referenced this issue Oct 27, 2020

#19500 tests

239d29e

wezell added a commit that referenced this issue Oct 27, 2020

#19500 removing unneeded files

b231adf

dsilvam added Merged QA : Needs Internal labels Oct 28, 2020

dsilvam added this to the Maintenance Sprint milestone Oct 28, 2020

dsilvam added QA : Passed Internal and removed QA : Needs Internal labels Oct 30, 2020

bryanboza added the QA : Approved label Oct 30, 2020

dsilvam closed this as completed Nov 5, 2020

swicken-dotcms added a commit that referenced this issue May 13, 2021

#19500 : Adding code changes to dotCMS 5.3.8.5 LTS release.

cb76208

swicken-dotcms added a commit that referenced this issue May 13, 2021

#19500 : Adding code changes to dotCMS 5.2.8.5 LTS release.

fe3cc58

swicken-dotcms added Release : 5.2.8.5 Release : 5.3.8.5 Included in LTS patch release 5.3.8.5 labels May 13, 2021

rweiner added Changelog: Needs Doc Changelog: Documented and removed Changelog: Needs Doc labels May 14, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL Injection Vulnerability in api /api/v1/containers #19500

SQL Injection Vulnerability in api /api/v1/containers #19500

xiaozhicai commented Oct 27, 2020

wezell commented Oct 28, 2020

dsilvam commented Oct 30, 2020 •

edited

Loading

bryanboza commented Oct 30, 2020

SQL Injection Vulnerability in api /api/v1/containers #19500

SQL Injection Vulnerability in api /api/v1/containers #19500

Comments

xiaozhicai commented Oct 27, 2020

wezell commented Oct 28, 2020

dsilvam commented Oct 30, 2020 • edited Loading

bryanboza commented Oct 30, 2020

dsilvam commented Oct 30, 2020 •

edited

Loading