New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LFI (local file inclusion) vulnerability in web console RunScript tool #3175
Comments
In recent releases of H2 these tools are password-protected, but browser sessions opened from the system tray icon of H2 Console have a security key that allows access to these tools and some other features without any additional authentication. In this case you may read files accessible by H2 in various ways, for example, with |
Hi katzyn, I agree with you about the impact mitigated by authentication and SQL functions to read the content of files that are expected (FILE_READ), but regardless of that, from a code security perspective, the vulnerability I identified is "Web" type and is due to the lack of validation of user input that reflect the content of an external file in the HTML DOM of the page (it shouldn't do that!), and is therefore NOT an expected feature but a programming error (an SQL error is triggered in the HTML DOM). However if it is not evaluated as vunlerability for you, no problem :) Regards,
|
Thanks for reporting this. We of course would be interested in the details so we can improve validation and error handling |
Hi grandinj, thanks, This behaviour in security is known as LFI (local file inclusion) since it allows a hypothetical attacker to read the content of a file external to the application (not expected) present on the server hosting it. details below: I remain at your disposal for any clarification. Best Regards,
|
Can this be used to read /etc/shadow or another privileged file? |
Like any LFI, it depends on the privileges of the user running the web application.
|
Right, but per @katzyn's comments that this may not cross privilege boundaries, the question is if this can be used to read a privileged file. My question was in the context of a default installation according to documentation (e.g. if it explicitly says don't run as root). Using /etc/passwd as the determination of a vulnerability in this case isn't ideal as that file is 0644 and any user on the system can access it. So repeating the exploit using /etc/shadow would be helpful. |
You need superuser access to read H2 doesn't have any official distributions for POSIX systems and you obviously should never run H2 Server process, other regular DBMS, application servers, and other similar software under root account. |
Hi @grandinj , do you think to fix this LFI vulnerability related to error handling in the RunScript Tool functionality? Please, let me know asap. Thanks and Regards,
|
Well, it's not a security issue, so a CVE is not warranted. It's just a bug. |
Hi @grandinj, thanks for your response. Let me know what you think. Thank you.
|
Hi @grandinj, so you confirm that it is not a security issue for you? however, I would like to submit the issue to MITRE. You will be able to eventually dispute the CVE assignment. They will decide if it is a vulnerability or not. Regards. |
Hi, just wondering if there is any movement on this issue? The CVE is now showing up in the OWASP scanning tool for Java using the default configurations, following a recent update from SonarType to update the OSS Index API. It is possible to list the CVE as a false positive, but it would be better if security scans passed out-of-the-box. https://jeremylong.github.io/DependencyCheck/ |
Tools of H2 Console used by exploit from CVE-2018-14335 are protected since H2 1.4.198 Beta released more than three years ago, only 1.4.197 and older versions are affected. If some tool incorrectly marks new versions as affected, please report this in issue tracker of that tool. |
^ I also encountered this CVE and, upon confirmation by @katzyn that this does not actually affect newer H2 versions, submitted a FP report to DependencyCheck. Ideally there should be an update to the underlying CVE database rather than DependencyCheck to not mark newer versions with this CVE, however. |
Hi Team,
during a security assessment I identified a local file inclusion vulnerability within the web console tools. in particular I verified that it is possible to read the contents of external files on the file system by manipulating the POST request. This triggers an syntax error by reflecting the contents of the file in the HTML DOM of the page.
Let me know if I can post the evidence here.
Thanks and Best Regards,
Gianluca
The text was updated successfully, but these errors were encountered: