search

TimGeyssens / UIOMatic

Auto generate an integrated crud UI in Umbraco for a db table based on a petapoco poco (and more)
https://timgeyssens.gitbook.io/ui-o-matic/
Other
67 stars 54 forks source link

SQL Injection in UIOMatic #227

Closed kushkira closed 2 months ago

kushkira commented 2 months ago

Hey Tim Geyssens,

i happen to found a vulnerability in UIOMatic, mind to create a security page so that i can report it here.

TimGeyssens commented 2 months ago

sure!

kushkira commented 2 months ago

Please setup your security page so that i can report it from there.

kushkira commented 2 months ago

Just for your reference, you can setup the security policy with this link. https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

TimGeyssens commented 2 months ago

it is + Private vulnerability reporting is enabled

kushkira commented 2 months ago

I found SQL Injection bug on id parameter. Below is the steps to reproduce.

  1. Click on UI-O-Matic module
  2. Click any one entry and capture the request.
  3. A GET request will be generated with the filepath '*/uiomatic/object/GetById?typeAlias=cities&id=10'
  4. Enter the payload (%20waitfor%20delay'0%3a0%3a10'--)
  5. It can be seen that the application will respond back within the specified time as per payload.

Let me know if anything is required.

kushkira commented 2 months ago

The code goes by and you can find the it here https://github.com/TimGeyssens/UIOMatic/blob/59f7e39b0536b8d499053b8728f363e78967c875/src/UIOMatic/wwwroot/backoffice/resources/uioMaticObject.resource.js#L104

kushkira commented 1 month ago

Hey @TimGeyssens

Any update on this?

TimGeyssens commented 1 month ago

yes seem a solid vulnerability, so verified! But I am not actively working on the project.

So feel free to make a PR to fix this...

The vulnerability can only be exploited with backend access...

kushkira commented 1 month ago

I was hoping to get a CVE for this.