Closed olegchensky closed 4 years ago
Hi, thanks for reporting, can you elaborate more on why this is a SQL injection attack?
I tested and indeed see test@test.com'7_CRASHER_8
is inserted into the database, but this still does not trick the database to execute any SQL query from the input. Nor I see possible ways to reveal existing data in the database described by https://owasp.org/www-community/attacks/Blind_SQL_Injection
I acknowledge that currently the field is not properly filtered before insertion into the database. But the consequence of this is only insertion of garbage data. This is a bug, not a security vulnerability.
Please elaborate if I missed something. The bug will be fixed in the next release.
I can't say more, sorry. I use a scanner (XSpider) and receive reports. If I find more, I will post it here.
Yeah this is a false positive. I mean sure test@test.com'7_CRASHER_8
is not a valid email address, but at least there is no SQL injection.
High level
SQL Injection Vulnerability /index.php/apps/registration/
Short Description
Server is vulnerable to SQL Injection attacks at this URL.
Description
SQL Injection is one of the most common techniques for hacking websites and applications which use databases. SQL injection attacks include insertion or "injection" of an arbitrary SQL query via client-submitted input. SQL injection depends on the used DBMS type and environment, and may allow attackers to send arbitrary queries to the database (e. g. queries to read arbitrary tables, or delete, modify, and add data), obtain read and/or write access to local files, as well as execute arbitrary commands on the target server.
Method : POST Vulnerable parameter type : POST parameter Vulnerable parameter name : email Attack vector : test@test.com'7_CRASHER_8 URL : https://cloud.grot.de/index.php/apps/registration/ SQL Injection type : Blind SQL injection Marker : None Headers : {'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36'} GET Request : {} POST Request : {'email': ["test%40test.com'7_CRASHER_8"], 'requesttoken': ['ZwFMSUN5fMBzSAryYc1GS8E8aJG+tszXU3N7ud5bi6Q=%3APlUvDHsUEqE7EFrKWPs%2FDJNFGsfR0KvvPCQd6+4c6pU=']} Response time : 5.063
Full request
POST /index.php/apps/registration/ HTTP/1.1 host: cloud.grot.de Accept: / Accept-Encoding: deflate, gzip Cookie: ocn81ij4fkmk=5hhunh1f5l64e0hnlbdi8cptdg; __Host-nc_sameSiteCookiestrict=true; __Host-nc_sameSiteCookielax=true; oc_sessionPassphrase=zwMPfBHNRe%2BFAucLiZLZPINJ%2FlT68jYtQDytA%2FaE04oYPRRikI%2FXt%2BrANRw1KoyjW%2FhANjIbRVczKNCxZTk1ppu7cI8h56OaaxmVE1DxyBI5VTMoZXMvZeyOwh27Jkvd user-agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 pragma: no-cache cache-control: no-cache content-type: application/x-www-form-urlencoded Content-Length: 138
email=test@test.com'7_CRASHER_8&requesttoken=ZwFMSUN5fMBzSAryYc1GS8E8aJG%2BtszXU3N7ud5bi6Q=:PlUvDHsUEqE7EFrKWPs/DJNFGsfR0KvvPCQd6%2B4c6pU=
How to fix
Check the source code of your web application, add input data filtering if required. Use international (e. g. OWASP's) standards and guidelines when creating applications.
Links
https://en.wikipedia.org/wiki/SQL_injection https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet