Closed
Bug 1294333
Opened 8 years ago
Closed 8 years ago
Some fields are injected by SQL commands
Categories
(Bugzilla :: Query/Bug List, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: anurag8arg, Unassigned)
Details
Attachments
(1 file)
|
24.16 KB,
image/png
|
Details |
Capture1.PNG
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Steps to reproduce: 1) one of the famous extension 'exploit me' i used 2) SQL Inject me is the add on for this 3) here i inject SQL commands for this page https://bugzilla.mozilla.org/show_bug.cgi?id=420025 Actual results: here i get 1 test case as failure. quicksearch Submitted Form State: unnamed field: Search Results: Error string found: 'ORA-' Tested value: 1' OR '1'='1 Expected results: as per as standard of mozilla it should not inject this.
|
||
Comment 1•8 years ago
|
||
Dylan, can you poke at this?
Assignee: nobody → query-and-buglist
Group: firefox-core-security → bugzilla-security
Component: Untriaged → Query/Bug List
Flags: needinfo?(dylan)
Product: Firefox → Bugzilla
QA Contact: default-qa
Version: 49 Branch → unspecified
|
||
Comment 2•8 years ago
|
||
quicksearch is quite far removed from SQL generation. Is the search string in question: 1' OR '1'='1 ?
Flags: needinfo?(dylan)
|
|
||
Updated•8 years ago
|
Flags: needinfo?(anurag8arg)
|
|
||
Comment 3•8 years ago
|
||
I cannot reproduce this. The provided quicksearch results in this SQL query:
SELECT
bugs.bug_id AS bug_id
FROM
bugs
LEFT JOIN
bug_group_map AS security_map ON bugs.bug_id = security_map.bug_id
AND NOT (security_map.group_id IN (/* omitted */))
LEFT JOIN
cc AS security_cc ON bugs.bug_id = security_cc.bug_id
AND security_cc.who = 491519
WHERE
bugs.creation_ts IS NOT NULL
AND (security_map.group_id IS NULL
OR (bugs.reporter_accessible = 1
AND bugs.reporter = 491519)
OR (bugs.cclist_accessible = 1
AND security_cc.who IS NOT NULL)
OR bugs.assigned_to = 491519
OR bugs.qa_contact = 491519)
AND bugs.bug_status IN ('UNCONFIRMED' , 'NEW', 'ASSIGNED', 'REOPENED')
GROUP BY bugs.bug_id
ORDER BY bug_id DESC
LIMIT 500
|
||
Comment 4•8 years ago
|
||
The flag string found by his detection algorithm is one typically found when you exploit an Oracle server. We're not using Oracle.
|
|
||
Comment 5•8 years ago
|
||
Sorry, hit submit before I finished on accident. We do have a few products using this site for tracking that do use Oracle themselves, so likely his search found a bug report that mentions that string.
|
Reporter | |
Comment 6•8 years ago
|
||
1) (In reply to Dave Miller [:justdave] (justdave@bugzilla.org) from comment #5) > Sorry, hit submit before I finished on accident. We do have a few products > using this site for tracking that do use Oracle themselves, so likely his > search found a bug report that mentions that string. 1) download Add-on "SQL inject me" 2) hit this URL https://bugzilla.mozilla.org/show_bug.cgi?id=420025 3) open the add-on and select "test all form with all attacks" 4) after this it will generate result page (temp) 5) here you can see that it will show 4 Failures. as pr as the standard of mozilla i would not expect this. Hope you will be able to reproduce it now. version: 49.0b2
OS: Unspecified → Windows 8
|
||
Comment 7•8 years ago
|
||
(In reply to Anurag Arora from comment #0) > Results: > Error string found: 'ORA-' > Tested value: 1' OR '1'='1 I ran the tests myself, and the extension is abused by the summary of bug 702935 being returned in the buglist: "[Oracle] checksetup.pl fails with ORA-01722". So no SQL injection here.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(anurag8arg)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•