Some fields are injected by SQL commands

RESOLVED INVALID

Status

()

Bugzilla
Query/Bug List
RESOLVED INVALID
a year ago
a year ago

People

(Reporter: Anurag Arora, Unassigned)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8779967 [details]
Capture1.PNG

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce:

1) one of the famous extension 'exploit me' i used
2) SQL Inject me is the add on for this
3) here i inject SQL commands for this page
https://bugzilla.mozilla.org/show_bug.cgi?id=420025



Actual results:

here i get 1 test case as failure.

quicksearch
Submitted Form State:

    unnamed field: Search

Results:
Error string found: 'ORA-'
Tested value: 1' OR '1'='1


Expected results:

as per as standard of mozilla it should not inject this.
Dylan, can you poke at this?
Assignee: nobody → query-and-buglist
Group: firefox-core-security → bugzilla-security
Component: Untriaged → Query/Bug List
Flags: needinfo?(dylan)
Product: Firefox → Bugzilla
QA Contact: default-qa
Version: 49 Branch → unspecified
quicksearch is quite far removed from SQL generation.

Is the search string in question:

1' OR '1'='1

?
Flags: needinfo?(dylan)
Flags: needinfo?(anurag8arg)
I cannot reproduce this. The provided quicksearch results in this SQL query:

SELECT 
    bugs.bug_id AS bug_id
FROM
    bugs
        LEFT JOIN
    bug_group_map AS security_map ON bugs.bug_id = security_map.bug_id
        AND NOT (security_map.group_id IN (/* omitted */))
        LEFT JOIN
    cc AS security_cc ON bugs.bug_id = security_cc.bug_id
        AND security_cc.who = 491519
WHERE
    bugs.creation_ts IS NOT NULL
        AND (security_map.group_id IS NULL
        OR (bugs.reporter_accessible = 1
        AND bugs.reporter = 491519)
        OR (bugs.cclist_accessible = 1
        AND security_cc.who IS NOT NULL)
        OR bugs.assigned_to = 491519
        OR bugs.qa_contact = 491519)
        AND bugs.bug_status IN ('UNCONFIRMED' , 'NEW', 'ASSIGNED', 'REOPENED')
GROUP BY bugs.bug_id
ORDER BY bug_id DESC
LIMIT 500
The flag string found by his detection algorithm is one typically found when you exploit an Oracle server. We're not using Oracle.
Sorry, hit submit before I finished on accident. We do have a few products using this site for tracking that do use Oracle themselves, so likely his search found a bug report that mentions that string.
(Reporter)

Comment 6

a year ago
1) (In reply to Dave Miller [:justdave] (justdave@bugzilla.org) from comment #5)
> Sorry, hit submit before I finished on accident. We do have a few products
> using this site for tracking that do use Oracle themselves, so likely his
> search found a bug report that mentions that string.

1) download Add-on "SQL inject me"
2) hit this URL
https://bugzilla.mozilla.org/show_bug.cgi?id=420025
3) open the add-on and select "test all form with all attacks"
4) after this it will generate result page (temp)
5) here you can see that it will show 4 Failures.

as pr as the standard of mozilla i would not expect this.

Hope you will be able to reproduce it now.
version: 49.0b2
OS: Unspecified → Windows 8

Comment 7

a year ago
(In reply to Anurag Arora from comment #0)
> Results:
> Error string found: 'ORA-'
> Tested value: 1' OR '1'='1

I ran the tests myself, and the extension is abused by the summary of bug 702935 being returned in the buglist: "[Oracle] checksetup.pl fails with ORA-01722".


So no SQL injection here.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(anurag8arg)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.