Email input not validated as email address before storing

[olegchensky]

High level

SQL Injection Vulnerability /index.php/apps/registration/

Short Description

Server is vulnerable to SQL Injection attacks at this URL.

Description

SQL Injection is one of the most common techniques for hacking websites and applications which use databases. SQL injection attacks include insertion or "injection" of an arbitrary SQL query via client-submitted input. SQL injection depends on the used DBMS type and environment, and may allow attackers to send arbitrary queries to the database (e. g. queries to read arbitrary tables, or delete, modify, and add data), obtain read and/or write access to local files, as well as execute arbitrary commands on the target server.

Method : POST Vulnerable parameter type : POST parameter Vulnerable parameter name : email Attack vector : test@test.com'7_CRASHER_8 URL : https://cloud.grot.de/index.php/apps/registration/ SQL Injection type : Blind SQL injection Marker : None Headers : {'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36'} GET Request : {} POST Request : {'email': ["test%40test.com'7_CRASHER_8"], 'requesttoken': ['ZwFMSUN5fMBzSAryYc1GS8E8aJG+tszXU3N7ud5bi6Q=%3APlUvDHsUEqE7EFrKWPs%2FDJNFGsfR0KvvPCQd6+4c6pU=']} Response time : 5.063

Full request

POST /index.php/apps/registration/ HTTP/1.1 host: cloud.grot.de Accept: / Accept-Encoding: deflate, gzip Cookie: ocn81ij4fkmk=5hhunh1f5l64e0hnlbdi8cptdg; __Host-nc_sameSiteCookiestrict=true; __Host-nc_sameSiteCookielax=true; oc_sessionPassphrase=zwMPfBHNRe%2BFAucLiZLZPINJ%2FlT68jYtQDytA%2FaE04oYPRRikI%2FXt%2BrANRw1KoyjW%2FhANjIbRVczKNCxZTk1ppu7cI8h56OaaxmVE1DxyBI5VTMoZXMvZeyOwh27Jkvd user-agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 pragma: no-cache cache-control: no-cache content-type: application/x-www-form-urlencoded Content-Length: 138

email=test@test.com'7_CRASHER_8&requesttoken=ZwFMSUN5fMBzSAryYc1GS8E8aJG%2BtszXU3N7ud5bi6Q=:PlUvDHsUEqE7EFrKWPs/DJNFGsfR0KvvPCQd6%2B4c6pU=

How to fix

Check the source code of your web application, add input data filtering if required. Use international (e. g. OWASP's) standards and guidelines when creating applications.

Links

https://en.wikipedia.org/wiki/SQL_injection https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

[pellaeon]

Hi, thanks for reporting, can you elaborate more on why this is a SQL injection attack?

I tested and indeed see test@test.com'7_CRASHER_8 is inserted into the database, but this still does not trick the database to execute any SQL query from the input. Nor I see possible ways to reveal existing data in the database described by https://owasp.org/www-community/attacks/Blind_SQL_Injection

I acknowledge that currently the field is not properly filtered before insertion into the database. But the consequence of this is only insertion of garbage data. This is a bug, not a security vulnerability.

Please elaborate if I missed something. The bug will be fixed in the next release.

[olegchensky]

I can't say more, sorry. I use a scanner (XSpider) and receive reports. If I find more, I will post it here.

[nickvergessen]

Yeah this is a false positive. I mean sure test@test.com'7_CRASHER_8 is not a valid email address, but at least there is no SQL injection.

[nickvergessen]

This is already done since https://github.com/nextcloud/registration/blob/f224b89da3928d63ad73eed6b292a0d6b998730a/lib/Service/MailService.php#L66-L74