If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

SQL Injection on litmus.mozilla.org

RESOLVED WORKSFORME

Status

Webtools Graveyard
Litmus
--
major
RESOLVED WORKSFORME
7 years ago
a year ago

People

(Reporter: Flow, Unassigned)

Tracking

Details

(URL)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20101227 Iceweasel/3.5.16 (like Firefox/3.5.16)
Build Identifier: 

There is a SQL injection on litmus.mozilla.org. Entering strings that break SQL at https://litmus.mozilla.org/search_results.cgi in the summary field trigger the injection resulting in the error message below.

More parameters can be used to trigger the injection:
locale='
branch='
platform='


Error - Litmus has suffered a serious fatal internal error - Litmus::DB::Testresult can't SELECT DISTINCT(tr.testresult_id),tr.testcase_id,t.summary,tr.submission_time AS created,pl.name AS platform_name,pr.name as product_name,trsl.name AS result_status,trsl.class_name AS result_status_class,b.name AS branch_name,tg.name AS test_group_name, tr.locale_abbrev, u.email, pl.iconpath FROM test_results tr, testcases t, platforms pl, opsyses o, branches b, products pr, test_result_status_lookup trsl, testgroups tg, subgroups sg, users u, testcase_subgroups tcsg, subgroup_testgroups sgtg WHERE tr.testcase_id=t.testcase_id AND tr.opsys_id=o.opsys_id AND o.platform_id=pl.platform_id AND tr.branch_id=b.branch_id AND b.product_id=pr.product_id AND tr.result_status_id=trsl.result_status_id AND tcsg.testcase_id=tr.testcase_id AND tcsg.subgroup_id=sg.subgroup_id AND sg.subgroup_id=sgtg.subgroup_id AND sgtg.testgroup_id=tg.testgroup_id AND tr.user_id=u.user_id AND t.summary LIKE '%%\\'%%' GROUP BY tr.testresult_id ORDER BY tr.submission_time DESC: Can't use an undefined value as an ARRAY reference at /usr/lib/perl5/site_perl/5.8.8/Class/DBI.pm line 1140. 

Reproducible: Always

Steps to Reproduce:
1. Tamper with the parameters of this url:
https://litmus.mozilla.org/search_results.cgi?order_by_created=&order_by_testcase_id=&order_by_product=&order_by_platform=&order_by_branch=&order_by_locale=&timespan=&summary=test&product=&platform=&branch=&locale=&limit=15
Actual Results:  
Error - Litmus has suffered a serious fatal internal error - Litmus::DB::Testresult can't SELECT 

Expected Results:  
Parameters should be sanitized.

Found by investigating for Web Bug Bounty program.
Set this to major as it seems not exploitable on a first look because it is not possible to break out of the single quote in this specific case. The single quote and any other special chars seem to be escaped.
(Reporter)

Comment 1

7 years ago
Looking a little bit deeper at this, it definitley seems not exploitable. The error message can also be trigger by setting invalid timestamps that break the query, but it seems like every string that goes into the query is escaped so that an injection is not possible, though it is possible to break the query. Should be fixed anyway to catch bad chars before sending this to the DB.
Group: websites-security → webtools-security
Component: other.mozilla.org → Litmus
Product: Websites → Webtools
QA Contact: other-mozilla-org → litmus
Version: unspecified → other
Seems to have been fixed
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

a year ago
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.