search

performant-software / Neatline

A lightweight framework for building interactive maps and publishing them on the web.
www.neatline.org
Other
105 stars 34 forks source link

"order" parameter in records view is vulnerable to SQL injection #497

Closed jaguillette closed 3 years ago

jaguillette commented 3 years ago

We've received a third-party vulnerability report that the order parameter on the records view is vulnerable to SQL injection. I've verified that we're up to date (version 2.6.3) on the site reported, so the earlier SQL injection vulnerability via the extent parameter has been patched.

This can be verified on a site with Neatline installed by appending /neatline/records?order=if(now()=sysdate()%2Csleep(10)%2C0) to the base url for the site. That executes an SQL command to sleep for 5 seconds, resulting in a 5 second delay when loading the page.

Can this input be sanitized to prevent SQL injection attacks?

shane-et-al commented 3 years ago

Well that's no good, I'll take a look.

shane-et-al commented 3 years ago

Merged