Powa-web admits sql injection for the password

[jlizondo]

powa-web admits sql injection in the login.

In the login window, if you enter for example:

Username: powa Password: a' or '1'='1 Server: main

you successfully log into the tool.

Versions installed: powa_14-web-4.1.4-1.rhel8.aarch64 powa_14-4.1.4-1.rhel8.aarch64

Oracle Linux Server release 8.7

[jlizondo]

I just saw this: https://powa.readthedocs.io/en/stable/security.html

However, it talks about secure practices to prevent attacks, but it still gives the impression that SQL injection is prevented.

[rjuju]

Hi,

This is quite surprising as there's no sql involved when establishing a connection to postgres. Note that if for some reason no password is required to login (because you setup a password in the powa-web configuration file but also because postgres configuration doesn't require a password) powa-team will simply ignore the password you entered. Just to be sure, do you get a connection error if you try any wrong password that doesn't look like an sql injection?

[jlizondo]

Hi @rjuju

Yes, if I enter a wrong password then login process fails. I actually tried this after a login failure just for fun, by chance. I was really suprised when I was able to log in.

2 friends also tested it in 2 different Powa installations, same result.

I assume that (most likely) it's us doing something wrong at configuration time, but not able to find the "what".

[rjuju]

I just tried on a local environment using the password a' or '1'='1 and got a connection error. I'm not sure what's different in your setup.

For the record I'm using the latest version of powa (4.2.0 for the UI and 4.2.2 for the extension), and psycopg2 2.9.9 and SQLAlchemy 1.4.0.

[jlizondo]

@rjuju did you install it from RPM packages, or from sources?

[rjuju]

I installed everything from source, but it doesn't make any difference. As I mentioned a connection on powa-web is directly tied to a postgres connection without any kind of mapping or anything. So by definition you can't inject any SQL before you actually have a connection. I don't know what's happening on your setup but I really doubt you can achieve an SQL injection there.

[jlizondo]

I just upgraded psycopg2 from 2.9.6 to 2.9.8 and SQLAlchemy from 1.3.2 to 1.4.51 and the problem seems solved. I can't inject SQL for the password anymore.

I think this can be closed, issue was clearly with old version of the packages. thanks for your help @rjuju !