-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection in "sort" parameter on /users/ page #1189
Comments
Thanks for opening your first issue here! Please follow the issue template to help us help you 👍🎉😄 |
I'm not sure security errors like this should be reported in open issues. |
Hey, @Uzay-G. We already have some security reports opened (publiclab/plots2#3966, publiclab/plots2#744, publiclab/plots2#3549). So I don’t think this is a problem. @jywarren, can you check this and publiclab/plots2#7133, please? How should I report such security issues? |
I think we can look to the controllers where this is affected:
I think it should be: .order("? ?", sort_column, sort_direction) Then Rails will sanitize the params! Can we make this change now? |
Is there anyone working on this? I would love to work on it |
@StlMaris123, sure, go ahead! |
What happened just before the problem occurred
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server. An attacker can use SQL injection it to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.
Due to the lack of filtering of the
sort
parameter, SQL injection is possible (nearORDER BY
)Demonstration:
http://mapknitter.org/users/?sort=asdasd
=>SELECT users.*, count(users.id) as maps_count FROM 'users' INNER JOIN 'maps' ON 'maps'.'user_id' = 'users'.'id' GROUP BY maps.user_id ORDER BY asdasd desc LIMIT 24 OFFSET 0
Relevant URLs
http://mapknitter.org/users/
How to fix
Use parameterized queries when dealing with SQL queries that contains user input. Parameterized queries allows the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.
The text was updated successfully, but these errors were encountered: