-
-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential buffer overflow and sql injection bugs in oui-httpd @ session_login() #89
Comments
Actually what's the goal for oui-http? it seems doing what uhttpd does, is this for performance reason? what's its advantage over uhttpd |
I can better control the progress of the project and facilitate the expansion of functionality |
@zhaojh329 hey Jianhui -- maybe I missed it, but did you get a chance to take a look at the issues described above? |
Better solution would be to never ever use |
Vue3 + Nginx + Lua is coming... |
Environment:
OpenWRT latest (untested)
Description:
oui/oui-httpd/src/session.c
Line 180 in 867faf3
In session.c, session_login() calls sprintf() on a fixed-size buffer
sql
of size 256. A large username of > 256 bytes would overflow thesql
buffer and possibly lead to remote code execution. Also, username is being concatenated into a SQL statement without any validation, so SQL code injection looks like be possible as well.These also look to be triggerable non-authenticated, before login as this is in the login routine itself, but let me know if that's incorrect or there is actually auth somewhere else beforehand.
There is a length check on username and password in session_create(), but that's called after session_login(), so it's not helpful in preventing attacks here.
FIX: 1) ensure username and password are always smaller than eg. sizeof(SELECT ... statement), probably ok to put them both max size at 32 or 64, and 2) validate username is always alphanumeric only, plus non-injection characters if necessary, so SQLi isn't possible.
References:
The text was updated successfully, but these errors were encountered: