Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AjaxController #87

Open
unknown-opensource opened this issue Jun 12, 2015 · 3 comments
Open

AjaxController #87

unknown-opensource opened this issue Jun 12, 2015 · 3 comments
Labels
security
Milestone
Backlog

Comments

@unknown-opensource
Copy link

So you're just giving public access for anyone to lookup any table by any field?
why not just pass DQL as parameter?
@66Ton99
Copy link
Collaborator

66Ton99 commented Jun 12, 2015

Its return true or false only!

@unknown-opensource
Copy link
Author

You can learn a lot by performing simple if (i.e. are John and Tom friends, was John born in 1981, is there any cash in Toms account)

@66Ton99 66Ton99 added this to the Backlog milestone Jan 29, 2016
@66Ton99 66Ton99 modified the milestones: Backlog, 1.4.1 Mar 29, 2016
@paolo42
Copy link

paolo42 commented May 31, 2018
edited

It is a pretty serious issue I think. For example - attacker can retrieve user passwords using repository method findByPassword. The method doesn't have to exist, Doctrine allows to use these magic methods if there is a DB column with the given name. By trying all password hashes you can eventually find password hash stored in DB. Not to mention projects with passwords in plaintext etc. True/false is enough for this, we don't want to simplify it to attackers.

You can also pass arrays to POST, which means that the attacker can use AND WHERE clause in these requests.

I believe it is also possible to use deleteBy* methods etc. These are not implemented by default but this issue allows attacker also to use custom repository - and a custom repository could have methods like this implemented.

I found out about this issue because some robot was trying to access this URL on my project without it being used in my code at all. This could mean that someone already wrote a robot to scan Symfony projects and check whether this route is accessible.

@vitek-rostislav vitek-rostislav mentioned this issue Jun 1, 2018
Closed
vitek-rostislav added a commit to shopsys/shopsys that referenced this issue Jun 1, 2018
@vitek-rostislav
removed JsFormValidatorBundle public route that allowed lookup any DB…
d7a4408 
… table by any field

- the public route is a security issue, see formapro/JsFormValidatorBundle#87
- the purpose of the route is for ajax validation of an entity uniqueness but the feature is not used in the framework anyway
PetrHeinz pushed a commit to shopsys/shopsys that referenced this issue Jun 1, 2018
@vitek-rostislav @PetrHeinz
removed JsFormValidatorBundle public route that allowed lookup any DB…
7571bac 
… table by any field

- the public route is a security issue, see formapro/JsFormValidatorBundle#87
- the purpose of the route is for ajax validation of an entity uniqueness but the feature is not used in the framework anyway
MattCzerner pushed a commit to shopsys/project-base that referenced this issue Jun 2, 2018
@vitek-rostislav @PetrHeinz
removed JsFormValidatorBundle public route that allowed lookup any DB…
78698ea 
… table by any field

- the public route is a security issue, see formapro/JsFormValidatorBundle#87
- the purpose of the route is for ajax validation of an entity uniqueness but the feature is not used in the framework anyway
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@66Ton99 @unknown-opensource @paolo42