Closed areynold closed 9 years ago
The Serval DNA SQL injection vulnerability is now fixed. See Serval DNA issue #69. This fix will go into the next release of Batphone.
There should never be another SQL injection vulnerability in Serval DNA as long as developers follow the pattern of using SQLite parameter binding and do not use sprintf(3) et al for SQL query construction.
Leaving this open until we've integrated the upstream release that incorporates this fix.
The HTTP URL-Parameters are not sanitized in the when /rhizome/manifestbyprefix/ rhizome_http.c are requested.
Since SQLite is used as a DBMS, no grave security impact could be found in the context of this service. A cause for concern would arise if another DBMS was to be used, as it could lead to a potential command execution with the INTO OUTFILE statements. For this reason, the SQL parameters should be sanitized regardless of which DBMS is chosen, as a change may result in injections leading to information leakages.
Originally reported as WRT-01-005