View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003754 | Composr | search | public | 2018-12-28 13:40 | 2018-12-28 17:31 |
| Reporter | Guest | Assigned To | Chris Graham | ||
| Severity | Major-bug | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0003754: Security Issue - SQL Injection | ||||
| Description | SQL Injection is a critical security vulnerability which allows an attacker to extract the entire database of the site using the malicious SQL Queries. It deos not require any authentication for the user. SQL Injection is dangerous as it allows an attacker to include a shell and compromise the web server | ||||
| Steps To Reproduce | Step1: Visit the url https://compo.sr/ Step2: Go to the search field and enter any sql characters like the below url https://compo.sr/search.htm?search_tutorials_external=1&search_comcode_pages=1&days=-1&all_defaults=0&content=hello%22+OR+1%3D1-- Step3: It will trigger the SQL Error as shown | ||||
| Tags | No tags attached. | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
sqli.PNG (707,182 bytes) |
|
|
This is not an SQL injection vulnerability. It's us not fully filtering incorrect fulltext search syntax. The error relates to the trailing '-', indicating a word exclusion which is not then actually specified. |
|
|
I've set this to public, due to it not being a vulnerability, and the original poster being a guest so not being able to see it as private. While it is not a vulnerability, it is a bug. |
|
|
Fixed. On some MySQL/MariaDB versions, MySQL will not be happy when a boolean fulltext query has any of these syntax errors: 1) Trailing + or - (As there's no succeeding word to be included/disincluded) 2) Leading * (As there's no preceding word to be multiplied) 3) Double + or - or * (As operators don't count as words) 4) Various other errors with operators we strip out, as we don't want to support them This is all within the logic of the boolean querying logic, not the SQL query as a whole - nothing is injected into the SQL parser. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-12-28 13:40 | Guest | New Issue | |
| 2018-12-28 13:40 | Guest | File Added: sqli.PNG | |
| 2018-12-28 13:55 | Chris Graham | Note Added: 0005893 | |
| 2018-12-28 17:14 | Chris Graham | View Status | private => public |
| 2018-12-28 17:14 | Chris Graham | Note Added: 0005894 | |
| 2018-12-28 17:31 | Chris Graham | Assigned To | => Chris Graham |
| 2018-12-28 17:31 | Chris Graham | Status | non-assigned => resolved |
| 2018-12-28 17:31 | Chris Graham | Resolution | open => fixed |
| 2018-12-28 17:31 | Chris Graham | Note Added: 0005895 |
