Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Develop sql injection bug #779

Merged
merged 4 commits into from
Jun 27, 2017

Conversation

mgage
Copy link
Member

@mgage mgage commented Jun 24, 2017

This addresses the issues in bug 3792 - blind sql injection from Library browser commands.

All library browser related database queries were converted to parameterized queries.
references: http://search.cpan.org/~timb/DBI-1.636/DBI.pm#selectall_arrayref

The first check is to make sure that all of the pull down selections for finding problems of a certain type work. Check both the regular and advanced search selections.

Next is to try to construct an sql injection and see if it works. I don't have specs for doing this beyond what is in bug 3792 -- but I'm sure references can be found on the web.

@pstaabp
Copy link
Member

pstaabp commented Jun 24, 2017

Did you mean to merge this into develop instead?

@Alex-Jordan
Copy link
Contributor

Did you mean for this to go into develop?

@Alex-Jordan
Copy link
Contributor

Oh, I see you are on it.

@Alex-Jordan Alex-Jordan changed the base branch from master to develop June 24, 2017 16:04
@Alex-Jordan
Copy link
Contributor

I think I was able to reassign it.

@pstaabp
Copy link
Member

pstaabp commented Jun 26, 2017

@mgage did you think we should get this into 2.13 or wait until 2.14?

@mgage
Copy link
Member Author

mgage commented Jun 26, 2017 via email

@pstaabp
Copy link
Member

pstaabp commented Jun 26, 2017

I'll try to get to it today then. I just added this to the list of items for 2.13.

@mgage
Copy link
Member Author

mgage commented Jun 26, 2017 via email

@pstaabp
Copy link
Member

pstaabp commented Jun 26, 2017

@mgage when I run develop with the suggestion from Bug 3792 I don't get any results, thinking that it doesn't match. Did you get results back when library_sections is set to

Motivational applications (estimation)" and substring(@@version,1,1)=5#

Also, if need be, I wrote a script to test:

use HTTP::Request::Common;
use LWP::UserAgent;
use JSON;

use Data::Dump qw/dd/;

my $url  = 'http://localhost/webwork2';

my $req = POST 'http://localhost/webwork2/instructorXMLHandler',
     Content_Type => 'form-data',
     Content      => [
      xml_command => 'searchLib',
      session_key => 'I06G1niSzNsnJdFVZwQ8PxzZKdWBMafO',
      user => 'peter',
      library_name => 'Library',
      courseID => 'test',
      command => 'countDBListings',
      library_subjects => 'Calculus - single variable',
      library_chapters => 'Limits and continuity',
      library_sections => 'Motivational applications (estimation)',
      #library_sections => 'Motivational applications (estimation)" and substring(@@version,1,1)=5#',
];

$ua = LWP::UserAgent->new;
my $res = $ua->request($req);

dd decode_json($res->content);

# if you want to see the complete response
#dd $res;

but to use, you'll need to change the session_key to a currently logged in key and change the user. I'm trying other ways of injecting as well, but so far have come up empty. Have you contacted the person who originally submitting the bug about any other insight?

Overall, the library browser seems to work as above and it seems like this is more secure.

@mgage
Copy link
Member Author

mgage commented Jun 26, 2017 via email

@pstaabp
Copy link
Member

pstaabp commented Jun 27, 2017

I have found one case that locks up mysql on develop that this fixes. Using the above case and setting

library_subjects => 'Trigonometry" or dbsj.name="Geometry'

will not return anything from the develop branch (I waited about one minute--I imagine it's going through the entire database), but immediately returns 0 under this branch.

I have tried more nefarious injections on both code without success (which is good).

@mgage
Copy link
Member Author

mgage commented Jun 27, 2017

I think I'd like to have this merged into develop. It doesn't break existing code and it stops at least some exploits. I suggest we include developing good unit tests (possibly cribbed from the ones that you are using for perl dancer) in the 2.14 project. If you agree Peter could you merge it?

@pstaabp
Copy link
Member

pstaabp commented Jun 27, 2017

I misread this message. Do you mean, I should go ahead and merge this branch? Or were you talking about the test script I wrote to pull into yours?

If you'd like this merged, can you pull in my test script first?

Added a test for a simple sql injection.
@pstaabp pstaabp merged commit 985e90f into openwebwork:develop Jun 27, 2017
@mgage
Copy link
Member Author

mgage commented Jun 27, 2017

I was confused also. I've merged your PR adding the files to the t directory into this pull request.

@mgage mgage deleted the develop_sql_injection_bug branch June 27, 2017 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants