Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User model login endpoint: security issue with possible query injection #4195

Closed
gabjauf opened this issue May 13, 2019 · 6 comments
Closed

User model login endpoint: security issue with possible query injection #4195

gabjauf opened this issue May 13, 2019 · 6 comments
Assignees
@hacksparrow
Labels
security

Comments

@gabjauf
Copy link

gabjauf commented May 13, 2019
edited
Loading

Hello Loopback!

I found some kind of vulnerability on POST /Users/login route from the default User model:

Description/Steps to reproduce

Send the following to /Users/login as credentials

{
	"email": {"neq": "foo" },
	"password": "anything you want"
}

When inspecting the resulting user here

loopback/common/models/user.js

Line 254 in 4b3a3a3

, this results in the first user in the database being returned, which means we now only need to find the password.

Found in loopback v3.25.1

Expected result

We would expect the email to be forced as a string.

Feel free to reach me if my description is unclear 😄
@gabjauf
Copy link
Author

gabjauf commented May 13, 2019
edited
Loading

We may also use the "regexp" functionality to test multiple users without having to know their exact email:

{
	"email": {"regexp": "^a" },
	"password": "anything you want"
}

@hacksparrow hacksparrow self-assigned this May 29, 2019
@hacksparrow
Copy link
Member

@gabjauf I tried both the payloads, I am getting 401. Can you elaborate the steps?

@hacksparrow
Copy link
Member

Oh, I got what you mean. Taking a look. Thanks for reporting.

@hacksparrow hacksparrow mentioned this issue May 29, 2019
Merged
2 tasks
@fabien
Copy link
Contributor

fabien commented May 30, 2019

@hacksparrow I was seeing a 401 as well - could you elaborate on 'I got what you mean'?

@bajtos
Copy link
Member

bajtos commented Jun 4, 2019

The fix has been published last week in [email protected].

@bajtos bajtos closed this as completed Jun 4, 2019
@bajtos bajtos added the security label Jun 4, 2019
@jannyHou jannyHou mentioned this issue Jun 4, 2019
Merged
2 tasks
@gabjauf
Copy link
Author

gabjauf commented Jun 5, 2019

Great works guys, thanks 👍

@jannyHou jannyHou mentioned this issue Jun 17, 2019
Merged
@jamesrichard91 jamesrichard91 mentioned this issue Mar 2, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hacksparrow hacksparrow

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fabien @hacksparrow @bajtos @gabjauf