Closed
Bug 1259008
Opened 8 years ago
Closed 8 years ago
SQL Injection in https://bugzilla.mozilla.org/
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: jamescat46, Unassigned)
References
()
Details
(Keywords: sec-low, wsec-disclosure, wsec-sqli, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
I found a SQL Injection in https://bugzilla.mozilla.org/ domain. To reproduce: https://bugzilla.mozilla.org/buglist.cgi?query_format=specific&order=relevance%20desc&bug_status=_open_&product=&content=%3E%3E/=1&comments=0 Enter in the website, and you can see the MYSQL error DBD::mysql::db selectcol_arrayref failed: syntax error, unexpected '>' [for Statement "SELECT bugs.bug_id AS bug_id, (MATCH(bugs_fulltext_0.short_desc) AGAINST('>>/=1' IN BOOLEAN MODE)) AS relevance FROM bugs LEFT JOIN bug_group_map AS security_map ON bugs.bug_id = security_map.bug_id AND NOT ( security_map.group_id IN (69) ) LEFT JOIN cc AS security_cc ON bugs.bug_id = security_cc.bug_id AND security_cc.who = 567004 LEFT JOIN bugs_fulltext AS bugs_fulltext_0 ON bugs.bug_id = bugs_fulltext_0.bug_id WHERE bugs.creation_ts IS NOT NULL AND (security_map.group_id IS NULL OR (bugs.reporter_accessible = 1 AND bugs.reporter = 567004) OR (bugs.cclist_accessible = 1 AND security_cc.who IS NOT NULL) OR bugs.assigned_to = 567004 OR bugs.qa_contact = 567004) AND MATCH(bugs_fulltext_0.short_desc) AGAINST('>>/=1' IN BOOLEAN MODE) GROUP BY bugs.bug_id ORDER BY relevance DESC LIMIT 500 "]
|
||
Comment 2•8 years ago
|
||
Jaume - Thank you for submitting this. Although your PoC does produce a MySQL error, in my testing it appears the data injected into the 'content' parameter is restricted to the the above mentioned AGAINST clause (ie. when I introduce other SQL content, it's escaped). From what I can tell, this has limited impact because a given attacker would only be able to generate a MySQL error and not have arbitrary control over the SQL query. For the time being, I'm going to set this bug to LOW severity because that seems to match the expected impact. If you can think of an example scenario or share a PoC that would demonstrate how a malicious party could use this beyond learning the SQL query content and popping SQL error messages, please let us know. Things I think we can be doing better here: - Don't display detailed SQL error messages to end users in production - Restrict ">" strings from content parameter or use a different SQL query context that allows the presence of a ">" character without erroring
|
|
||
Comment 3•8 years ago
|
||
:glob - Would you mind having a peek at this? Doesn't seem like an immediate risk, but I included some comments above where we might be able to leak less intel on the SQL query being generated by Bugzilla.
|
|
||
Updated•8 years ago
|
Keywords: wsec-disclosure
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #3) > :glob - Would you mind having a peek at this? Doesn't seem like an immediate > risk, but I included some comments above where we might be able to leak less > intel on the SQL query being generated by Bugzilla. bugzilla's open source; there's nothing confidential in the sql we generate.
Group: websites-security → bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Component: Other → General
Flags: needinfo?(glob)
Product: Websites → bugzilla.mozilla.org
Resolution: --- → INVALID
Version: unspecified → Production
|
||
Updated•8 years ago
|
Group: bugzilla-security
|
|
||
Updated•8 years ago
|
Flags: sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•