343752 - The 'order' field in buglist.cgi is not properly parsed when using aliases

Status: RESOLVED FIXED

(Bugzilla :: Query/Bug List, defect)

Description

[Brian Caswell]

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
Build Identifier: 2.22-stable

$order is not properly validated before it is thunked into the SQL for the search query.   This allows for SQL injection, though, a rather limited SQL injection.

Reproducible: Always

Steps to Reproduce:
http://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?emailtype1=substring&email1=foo&emailreporter1=1&order=CASE%20WHEN%20map_assigned_to.realname%20%3D%20%27%27%20THEN%20map_assigned_to.login_name%20ELSE%20map_assigned_to.realname%20END%20AS%20assigned_to_realname 
Actual Results:  
On tip:

Software error:

DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM bugs  INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_ass' at line 1 [for Statement "SELECT bugs.bug_id, bugs.bug_severity, bugs.priority, bugs.bug_status, bugs.resolution, map_products.name, bugs.bug_severity, bugs.priority, bugs.op_sys, map_assigned_to.login_name, bugs.bug_status, bugs.resolution, bugs.short_desc,  FROM bugs  INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_assigned_to.userid) INNER JOIN products AS map_products ON (bugs.product_id = map_products.id) LEFT JOIN bug_group_map  ON bug_group_map.bug_id = bugs.bug_id  AND bug_group_map.group_id NOT IN (6,7)  LEFT JOIN cc ON cc.bug_id = bugs.bug_id AND cc.who = 15660 WHERE ((bugs.reporter IN (729,995,1014,1076,1552,1617,1663,1733,2061,2136,2358,2968,3045,3274,3430,4086,4275,4579,5113,5197,5246,5495,5843,6289,6901,7295,8100,8321,8443,9045,9245,9318,9438,9479,9620,10793,14421,14955,15198,15263,16077,16078,16617))) AND bugs.creation_ts IS NOT NULL AND ((bug_group_map.group_id IS NULL)    OR (bugs.reporter_accessible = 1 AND bugs.reporter = 15660)     OR (bugs.cclist_accessible = 1 AND cc.who IS NOT NULL)     OR (bugs.assigned_to = 15660) OR (bugs.qa_contact = 15660) ) GROUP BY bugs.bug_id ORDER BY assigned_to_realname"] at /var/www/html/bugzilla-tip/buglist.cgi line 904
For help, please send mail to the webmaster (webmaster@bugzilla.org), giving this error message and the time and date of the error.


On 2.22: 

Software error:

DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM bugs  INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_ass' at line 1 [for Statement "SELECT bugs.bug_id, bugs.bug_severity, bugs.priority, bugs.bug_status, bugs.resolution, map_products.name, bugs.bug_severity, bugs.priority, bugs.rep_platform, map_assigned_to.login_name, bugs.bug_status, bugs.resolution, bugs.short_desc,  FROM bugs  INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_assigned_to.userid) INNER JOIN products AS map_products ON (bugs.product_id = map_products.id) INNER JOIN profiles AS map_reporter ON (bugs.reporter = map_reporter.userid) LEFT JOIN bug_group_map  ON bug_group_map.bug_id = bugs.bug_id  AND bug_group_map.group_id NOT IN (6,7)  LEFT JOIN cc ON cc.bug_id = bugs.bug_id AND cc.who = 12148 WHERE ((INSTR(CAST(LOWER(map_reporter.login_name) AS BINARY), CAST('bmc' AS BINARY)) > 0)) AND bugs.creation_ts IS NOT NULL AND ((bug_group_map.group_id IS NULL)    OR (bugs.reporter_accessible = 1 AND bugs.reporter = 12148)     OR (bugs.cclist_accessible = 1 AND cc.who IS NOT NULL)     OR (bugs.assigned_to = 12148) OR (bugs.qa_contact = 12148) ) GROUP BY bugs.bug_id ORDER BY assigned_to_realname"] at /var/www/html/bugzilla-2.20-branch/buglist.cgi line 871
For help, please send mail to the webmaster (webmaster@bugzilla.org), giving this error message and the time and date of the error.

Expected Results:  
The same error message that other sort errors give:

The custom sort order specified in your form submission contains an invalid column name $FOO.

Comment 1

[Joel Peshkin]

This does not seem to be the case.  While the particular example causes an SQL error, hacking the order parameter to something else fails validation.

Comment 2

[Frédéric Buclin]

Attachment: patch, v1

When converting the column name to its ID, we were looking at the wrong place. The ID *is* in the keys of the hash, not in its values.

There is no SQL injection here, only an empty string which is added to the SQL query, so that we get:

SELECT foo1, foo2, FROM bugs ...

instead of

SELECT foo1, foo2, new_field FROM bugs ...

Comment 3

[Frédéric Buclin]

This issue was introduced in bug 302326. Not a security bug.

Comment 4

[Marc Schumann [:Wurblzap]]

I'm afraid I'm on the completely wrong track when looking at this. I'd've thought I can reproduce this by looking at a bug list and clicking on an aliased column's header such as Reporter Real Name. But this works. What am I missing?

Comment 5

[Frédéric Buclin]

Marc, look at the URL field of this bug. Copy and paste it to your 2.22 and/or tip installation. Or use the link from comment 0. It's a good thing that the UI doesn't let you crash Bugzilla. As I said on IRC, you have to hack the URL directly to crash it.

Comment 6

[Frédéric Buclin]

tip:

Checking in buglist.cgi;
/cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v  <--  buglist.cgi
new revision: 1.342; previous revision: 1.341
done

2.22:

Checking in buglist.cgi;
/cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v  <--  buglist.cgi
new revision: 1.325.2.2; previous revision: 1.325.2.1
done