Open
Bug 1393696
Opened 8 years ago
Updated 8 years ago
Information disclosure with null byte injection
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: pierrick.merle-ext, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
Steps to reproduce:
https://landfill.bugzilla.org/bugzilla-4.4-branch/buglist.cgi?bug_id=5%00&action-search=Run%20Search&bug_file_loc=1234&bug_file_loc_type=regexp&bug_id_type=nowords&bug_severity=Normal&bug_status=Integrated&category=TestProduct&cf_cplc=Closed_Rejected&cf_subsys_version=---&ch
See the null byte (%00) after the bug_id parameter.
Actual results:
The null byte '\0' is escaped like '\\\0' inside the SQL REGEXP statement.
It results a sql failure and a 500 error.
I wasn't able to exploit any sql injection usging this trick
Expected results:
The bug_id parameter is should probably accept only integer > 0.
|
||
Comment 1•8 years ago
|
||
it isn't the nul byte that is causing that error, but rather the incorrectly formatted regexp in bug_file_loc
|
Reporter | |
Comment 2•8 years ago
|
||
The error message is:
"Software error:
DBD::mysql::db selectcol_arrayref failed: Got error 'trailing backslash (\)' from regexp..."
In the request the bug_file_loc = '1234'.
There is no backslash in this parameter, but a backslash in bug_id.
|
|
Reporter | |
Comment 3•8 years ago
|
||
The wrong statement is: REGEXP '(^|[^[:alnum:]])5\\\0($|[^[:alnum:]])'
Yon can on any Mysql instance:
SELECT 'a' REGEXP '5\\\0';
And you will have:
ERROR 1139 (42000): Got error 'trailing backslash (\)' from regexp
You need to log in
before you can comment on or make changes to this bug.
Description
•