Created attachment 8779967 [details] Capture1.PNG User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Steps to reproduce: 1) one of the famous extension 'exploit me' i used 2) SQL Inject me is the add on for this 3) here i inject SQL commands for this page https://bugzilla.mozilla.org/show_bug.cgi?id=420025 Actual results: here i get 1 test case as failure. quicksearch Submitted Form State: unnamed field: Search Results: Error string found: 'ORA-' Tested value: 1' OR '1'='1 Expected results: as per as standard of mozilla it should not inject this.
Dylan, can you poke at this?
quicksearch is quite far removed from SQL generation. Is the search string in question: 1' OR '1'='1 ?
I cannot reproduce this. The provided quicksearch results in this SQL query: SELECT bugs.bug_id AS bug_id FROM bugs LEFT JOIN bug_group_map AS security_map ON bugs.bug_id = security_map.bug_id AND NOT (security_map.group_id IN (/* omitted */)) LEFT JOIN cc AS security_cc ON bugs.bug_id = security_cc.bug_id AND security_cc.who = 491519 WHERE bugs.creation_ts IS NOT NULL AND (security_map.group_id IS NULL OR (bugs.reporter_accessible = 1 AND bugs.reporter = 491519) OR (bugs.cclist_accessible = 1 AND security_cc.who IS NOT NULL) OR bugs.assigned_to = 491519 OR bugs.qa_contact = 491519) AND bugs.bug_status IN ('UNCONFIRMED' , 'NEW', 'ASSIGNED', 'REOPENED') GROUP BY bugs.bug_id ORDER BY bug_id DESC LIMIT 500
The flag string found by his detection algorithm is one typically found when you exploit an Oracle server. We're not using Oracle.
Sorry, hit submit before I finished on accident. We do have a few products using this site for tracking that do use Oracle themselves, so likely his search found a bug report that mentions that string.
1) (In reply to Dave Miller [:justdave] (email@example.com) from comment #5) > Sorry, hit submit before I finished on accident. We do have a few products > using this site for tracking that do use Oracle themselves, so likely his > search found a bug report that mentions that string. 1) download Add-on "SQL inject me" 2) hit this URL https://bugzilla.mozilla.org/show_bug.cgi?id=420025 3) open the add-on and select "test all form with all attacks" 4) after this it will generate result page (temp) 5) here you can see that it will show 4 Failures. as pr as the standard of mozilla i would not expect this. Hope you will be able to reproduce it now. version: 49.0b2
(In reply to Anurag Arora from comment #0) > Results: > Error string found: 'ORA-' > Tested value: 1' OR '1'='1 I ran the tests myself, and the extension is abused by the summary of bug 702935 being returned in the buglist: "[Oracle] checksetup.pl fails with ORA-01722". So no SQL injection here.