Query: Arbitrary URL Parameters lead to 500

opted-eu / wp3inventory

WP3 Inventory

https://meteor.opted.eu/

GNU General Public License v3.0

2 stars 2 forks source link

Query: Arbitrary URL Parameters lead to 500 #194

Closed mrwunderbar666 closed 2 years ago

mrwunderbar666 commented 2 years ago

Arbitrary URL parameters of automated attacks or malicious user input should return 404 (not 500)

mrwunderbar666 commented 2 years ago

Example request: https://meteor.opted.eu/query?dgraph.type=Source%27nvOpzp%3B%20AND%201=1%20OR%20(%3C%27%22%3EiKO)),&geographic_scope_subunit=0xc45e%27nvOpzp%3B%20AND%201=1%20OR%20(%3C%27%22%3EiKO))

decoded URL:

https://meteor.opted.eu/query?dgraph.type=Source'nvOpzp; AND 1=1 OR (<'">iKO)),&geographic_scope_subunit=0xc45e'nvOpzp; AND 1=1 OR (<'">iKO))

mrwunderbar666 commented 2 years ago

closing for now, since malicious attacks end up in valid routes and do not leak out data