Open Bug 856975 Opened 12 years ago Updated 3 years ago

[Oracle] Using "1+1;--" in Simple Search causes Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error

Categories

(Bugzilla :: Query/Bug List, defect)

Product:
Bugzilla
Component:
Query/Bug List
Version:
4.2.5
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: aquarohit, Unassigned)

Details

Attachments

(1 file)

software-error.png
25.02 KB, image/png
Details
Attached image software-error.png
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C; Tablet PC 2.0) Steps to reproduce: Through a security scan tool, we tried to enter different values in the link: http://<IP>/bugzilla/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__all__&product=Web+UI&content=1234'%20having%201=1--
I can't reproduce this on tip or 4.2 using MySQL. Rohit: are you saying this only occurs with Oracle? Are you able to reproduce this on any of the test sites on http://landfill.bugzilla.org? Gerv
Severity: normal → major
Priority: -- → P1
I haven't tried it on mysql, but for Oracle XE this is bug is there for sure
(In reply to Gervase Markham [:gerv] from comment #1) > I can't reproduce this on tip or 4.2 using MySQL. Rohit: are you saying this > only occurs with Oracle? Are you able to reproduce this on any of the test > sites on http://landfill.bugzilla.org? Gerv I haven't tried it on mysql, but for Oracle XE this is bug is there for sure
Trouble is, I don't have access to an Oracle install. It seems there isn't one on landfill... It would help if you could try and reproduce it on MySQL or PostgreSQL. I can't, but perhaps I'm not doing it right. Gerv
Issue is not getting reproduced on landfill because bugzilla 4.2.5 is able to handle exceptions by MYSQL, but for few exception of oracle it is not able to handle. e.g. in search box enter 1+1; --> this will be handled by Bugzilla if you will enter 1+1;-- --> Bugzilla will through software error. ============================================== DBD::Oracle::st fetchrow_array failed: ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error on line 1, column 6 (DBD ERROR: OCIStmtFetch) [for Statement "SELECT bugs.bug_id bug_id, bugs.bug_severity bug_severity, bugs.priority priority, bugs.bug_status bug_status, bugs.resolution resolution, map_product.name product, map_component.name component, CASE WHEN INSTR(map_assigned_to.login_name, '@') != 0 THEN SUBSTR(map_assigned_to.login_name, 1, INSTR(map_assigned_to.login_name, '@') - 1) ELSE map_assigned_to.login_name END assigned_to, bugs.short_desc short_desc, bugs.delta_ts changeddate FROM bugs LEFT JOIN bug_group_map security_map ON bugs.bug_id = security_map.bug_id INNER JOIN products map_product ON bugs.product_id = map_product.id INNER JOIN components map_component ON bugs.component_id = map_component.id INNER JOIN profiles map_assigned_to ON bugs.assigned_to = map_assigned_to.userid INNER JOIN bug_status map_bug_status ON bugs.bug_status = map_bug_status.value INNER JOIN priority map_priority ON bugs.priority = map_priority.value LEFT JOIN bugs_fulltext bugs_fulltext_6 ON bugs.bug_id = bugs_fulltext_6.bug_id WHERE rownum <=500 AND bugs.creation_ts IS NOT NULL AND security_map.group_id IS NULL AND bugs.bug_status IN ('UNCONFIRMED','CONFIRMED','IN_PROGRESS') AND ( ( ( bugs.product_id IN (SELECT products.id FROM products WHERE INSTR(LOWER(products.name), LOWER('1+1;--')) > 0) OR bugs.component_id IN (SELECT components.id FROM components WHERE INSTR(LOWER(components.name), LOWER('1+1;--')) > 0) OR INSTR(LOWER(COALESCE(bugs.alias, '__BZ_EMPTY_STR__')), LOWER('1+1;--')) > 0 OR INSTR(LOWER(bugs.short_desc), LOWER('1+1;--')) > 0 OR INSTR(LOWER(bugs.status_whiteboard), LOWER('1+1;--')) > 0 OR CONTAINS(bugs_fulltext_6.comments_noprivate,'"1+1;--"',1) > 0 OR CONTAINS(bugs_fulltext_6.short_desc,'"1+1;--"',2) > 0 ) ) ) GROUP BY bugs.bug_id, bugs.bug_severity,bugs.priority,bugs.bug_status,bugs.resolution,map_product.name,map_component.name,CASE WHEN INSTR(map_assigned_to.login_name, '@') != 0 THEN SUBSTR(map_assigned_to.login_name, 1, INSTR(map_assigned_to.login_name, '@') - 1) ELSE map_assigned_to.login_name END,bugs.short_desc,bugs.delta_ts,map_bug_status.sortkey,map_bug_status.value,map_priority.sortkey,map_priority.value ORDER BY map_bug_status.sortkey, map_bug_status.value, map_priority.sortkey, map_priority.value, assigned_to, bug_id /* LIMIT 500 */ "] at Bugzilla/DB/Oracle.pm line 751. Bugzilla::DB::Oracle::st::fetchrow_array('Bugzilla::DB::Oracle::st=HASH(0x4056720)') called at /var/www/html/bugzilla/buglist.cgi line 870 ==============================================================
LpSolit: who is our current Oracle expert? Gerv
(In reply to Gervase Markham [:gerv] from comment #6) > LpSolit: who is our current Oracle expert? I'm the only one fixing bugs related to Oracle these days. Bugzilla correctly calls $dbh->quote(), which replaces single quotes (') by '', see http://search.cpan.org/~timb/DBI/DBI.pm#quote, but it looks like that Oracle doesn't like it. Maybe we need to define $data_type when calling quote(). I will have to test it on my Oracle installation. I don't think this is a security issue. All you can do is make Oracle unhappy.
Assignee: general → query-and-buglist
Severity: major → normal
Component: Bugzilla-General → Query/Bug List
Priority: P1 → --
Summary: SQL Injection found with bugzilla version 4.2.5 with Oracle XE, whereas bugzilla claims it to get fixed with version 3.4.2 → [Oracle] Single quotes used in a Simple Search cause Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error
we have not used single quotes, rather we were using 1+1;-- in quick search box. also, in normal search box both 1+1; and 1+1;-- is getting failed. and security scan tool identifies it as sql injection issue. We did a trick and mask $msg variable, and it removes the error it was throwing and also scan tool was unable to find sql injection, but personally i am not convinced with this solution.
I tested the testcases provided in comment 0 and comment 5 using Oracle XE 10.0.2 + Bugzilla 4.5, and I'm unable to reproduce the error. Oracle doesn't complain about the single quote in the string not about ;-- being part of the string. So Oracle is happy with the single quote (') being replaced by ''. Rohit: which version of Oracle XE are you using?
Group: bugzilla-security
Summary: [Oracle] Single quotes used in a Simple Search cause Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error → [Oracle] Using "1+1;--" in Simple Search causes Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error
we have not used single quotes, rather we were using 1+1;-- in quick search box. also, in normal search box both 1+1; and 1+1;-- is getting failed. and security scan tool identifies it as sql injection issue. We did a trick and mask $msg variable, and it removes the error it was throwing and also scan tool was unable to find sql injection, but personally i am not convinced with this solution.
Summary: [Oracle] Using "1+1;--" in Simple Search causes Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error → [Oracle] Single quotes used in a Simple Search cause Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error
I am using Oracle XE 11gR2( the latest available on oracle site)
No need to repeat the same comment; it doesn't bring any value.
Summary: [Oracle] Single quotes used in a Simple Search cause Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error → [Oracle] Using "1+1;--" in Simple Search causes Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error
(In reply to Rohit from comment #10) > We did a trick and mask $msg variable, and it removes the error it was > throwing Which $msg variable are you talking about? Which file, which line?
I am using Oracle XE 11gR2( the latest available on oracle site)
Summary: [Oracle] Using "1+1;--" in Simple Search causes Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error → [Oracle] Single quotes used in a Simple Search cause Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error
bugzilla/lib/CGI/Carp.pm ========================== <h1>Software error:</h1> <pre>$msg</pre> <p>
Could you stop reverting changes made to the bug summary, please? I don't know how you reload a bug report, but please reload it correctly. :) (In reply to Rohit from comment #15) > bugzilla/lib/CGI/Carp.pm > ========================== > <h1>Software error:</h1> > <pre>$msg</pre> Removing this line doesn't make any sense at all. If you delete the line which prints the error, it's obvious that the error is no longer displayed in the web browser. This doesn't mean that the error no longer exists.
Summary: [Oracle] Single quotes used in a Simple Search cause Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error → [Oracle] Using "1+1;--" in Simple Search causes Oracle to crash with ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error
bugzilla/lib/CGI/Carp.pm ========================== <h1>Software error:</h1> <pre>$msg</pre> <p>
@Frédéric Buclin , you are quite rude in writing your comments, message repeatitions are due to mid air collision issues, and other things are about the fact, if its of ur use, use it or else ignore it, but pls dont preach, how n wat to write.
@Frédéric Buclin , you are quite rude in writing your comments, message repeatitions are due to mid air collision issues, and other things are about the fact, if its of ur use, use it or else ignore it, but pls dont preach, how n wat to write.
It's not my intention to be rude with you; sorry if you feel it this way. :( But almost all your comments are duplicated, changes I make are reverted the next time you commit your changes, and the fact that you get a midair collision means that your page is outdated and you must fully reload the page (do not use the Back button of your web browser!) or only submit your comment to not revert all changes. This triggers a lot of spam as all your comments are then sent twice by email to a lot of people.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: