Closed
Bug 626028
Opened 13 years ago
Closed 12 years ago
SQL Injection on litmus.mozilla.org
Categories
(Webtools Graveyard :: Litmus, defect)
Webtools Graveyard
Litmus
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: blair-witch, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20101227 Iceweasel/3.5.16 (like Firefox/3.5.16) Build Identifier: There is a SQL injection on litmus.mozilla.org. Entering strings that break SQL at https://litmus.mozilla.org/search_results.cgi in the summary field trigger the injection resulting in the error message below. More parameters can be used to trigger the injection: locale=' branch=' platform=' Error - Litmus has suffered a serious fatal internal error - Litmus::DB::Testresult can't SELECT DISTINCT(tr.testresult_id),tr.testcase_id,t.summary,tr.submission_time AS created,pl.name AS platform_name,pr.name as product_name,trsl.name AS result_status,trsl.class_name AS result_status_class,b.name AS branch_name,tg.name AS test_group_name, tr.locale_abbrev, u.email, pl.iconpath FROM test_results tr, testcases t, platforms pl, opsyses o, branches b, products pr, test_result_status_lookup trsl, testgroups tg, subgroups sg, users u, testcase_subgroups tcsg, subgroup_testgroups sgtg WHERE tr.testcase_id=t.testcase_id AND tr.opsys_id=o.opsys_id AND o.platform_id=pl.platform_id AND tr.branch_id=b.branch_id AND b.product_id=pr.product_id AND tr.result_status_id=trsl.result_status_id AND tcsg.testcase_id=tr.testcase_id AND tcsg.subgroup_id=sg.subgroup_id AND sg.subgroup_id=sgtg.subgroup_id AND sgtg.testgroup_id=tg.testgroup_id AND tr.user_id=u.user_id AND t.summary LIKE '%%\\'%%' GROUP BY tr.testresult_id ORDER BY tr.submission_time DESC: Can't use an undefined value as an ARRAY reference at /usr/lib/perl5/site_perl/5.8.8/Class/DBI.pm line 1140. Reproducible: Always Steps to Reproduce: 1. Tamper with the parameters of this url: https://litmus.mozilla.org/search_results.cgi?order_by_created=&order_by_testcase_id=&order_by_product=&order_by_platform=&order_by_branch=&order_by_locale=×pan=&summary=test&product=&platform=&branch=&locale=&limit=15 Actual Results: Error - Litmus has suffered a serious fatal internal error - Litmus::DB::Testresult can't SELECT Expected Results: Parameters should be sanitized. Found by investigating for Web Bug Bounty program. Set this to major as it seems not exploitable on a first look because it is not possible to break out of the single quote in this specific case. The single quote and any other special chars seem to be escaped.
Looking a little bit deeper at this, it definitley seems not exploitable. The error message can also be trigger by setting invalid timestamps that break the query, but it seems like every string that goes into the query is escaped so that an injection is not possible, though it is possible to break the query. Should be fixed anyway to catch bad chars before sending this to the DB.
|
||
Updated•13 years ago
|
Group: websites-security → webtools-security
Component: other.mozilla.org → Litmus
Product: Websites → Webtools
QA Contact: other-mozilla-org → litmus
Version: unspecified → other
|
||
Comment 2•12 years ago
|
||
Seems to have been fixed
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
Assignee | |
Updated•8 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•