search

publiclab / mapknitter

Upload your own aerial images, position (rubbersheet) them in a web interface over existing map data, and share via web or composite and export for print.
http://mapknitter.org
GNU General Public License v3.0
267 stars 210 forks source link

SQL Injection in "sort" parameter on /users/ page #1189

Open tsparksh opened 4 years ago

tsparksh commented 4 years ago

What happened just before the problem occurred

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server. An attacker can use SQL injection it to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.

Due to the lack of filtering of the sort parameter, SQL injection is possible (near ORDER BY)

Demonstration: http://mapknitter.org/users/?sort=asdasd => SELECT users.*, count(users.id) as maps_count FROM 'users' INNER JOIN 'maps' ON 'maps'.'user_id' = 'users'.'id' GROUP BY maps.user_id ORDER BY asdasd desc LIMIT 24 OFFSET 0

Relevant URLs

http://mapknitter.org/users/

How to fix

Use parameterized queries when dealing with SQL queries that contains user input. Parameterized queries allows the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.

welcome[bot] commented 4 years ago

Thanks for opening your first issue here! Please follow the issue template to help us help you ๐Ÿ‘๐ŸŽ‰๐Ÿ˜„ If you have screenshots to share demonstrating the issue, that's really helpful! ๐Ÿ“ธ You can make a gif too!

Uzay-G commented 4 years ago

I'm not sure security errors like this should be reported in open issues.

tsparksh commented 4 years ago

Hey, @Uzay-G. We already have some security reports opened (https://github.com/publiclab/plots2/issues/3966, https://github.com/publiclab/plots2/issues/744, https://github.com/publiclab/plots2/issues/3549). So I donโ€™t think this is a problem.

@jywarren, can you check this and https://github.com/publiclab/plots2/issues/7133, please? How should I report such security issues?

jywarren commented 4 years ago

I think we can look to the controllers where this is affected: https://github.com/publiclab/mapknitter/blob/4f11b9e472097b93c9449f1a18de14e37f8d0ace/app/controllers/users_controller.rb#L16

I think it should be:

.order("? ?", sort_column, sort_direction)

Then Rails will sanitize the params! Can we make this change now?

StlMaris123 commented 4 years ago

Is there anyone working on this? I would love to work on it

tsparksh commented 4 years ago

@StlMaris123, sure, go ahead!