Project

General

Profile

Actions
Copy link

Bug #14381

closed

CVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters

Added by Justin Sherrill about 8 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Justin Sherrill
Category:
Security
Target version:
Katello 3.0.0
Difficulty:
easy
Triaged:
Bugzilla link:
1350803
Pull request:
https://github.com/Katello/katello/pull/6051
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The sort_by and sort_attr parameters to any controller that uses scoped_search searching are not properly sanitized and thus can be exploited to perform sql injection.

On the current release (2.4) most any api index call is vulnerable such as:

/katello/api/v2/products
/katello/api/v2/systems
/katello/api/v2/repositories

On older releases (2.3) only the errata api is affected:

/katello/api/v2/errata

An example showing the injection is:

curl -k -u admin:changeme -X GET https://`hostname`/katello/api/v2/errata?sort_by=id\&sort_order=ASC\'

{"displayMessage":"PGError: ERROR: unterminated quoted string at or near \"',

I was not able to cause an update via this exploit, as it appeared that active record was handling part of the exploit (although i may have just not been talented enough). The reporter was able to retrieve additional information from the database as a result though.

Files

katello_sqli.py katello_sqli.py 1.89 KB Justin Sherrill, 03/29/2016 01:15 PM
katello-2.4.patch katello-2.4.patch 1.31 KB 2.4 patch David Davis, 04/07/2016 04:14 PM
katello-2.3.patch katello-2.3.patch 1.41 KB Katello 2.3 patch David Davis, 04/08/2016 11:20 AM
master.patch master.patch 2.26 KB master/3.0 patch David Davis, 04/11/2016 01:39 PM
Actions
Copy link
 #1

Updated by Justin Sherrill about 8 years ago

Reproducer script attached

Actions
Copy link
 #2

Updated by Dominic Cleal about 8 years ago

  • Subject changed from CVE-2016-3072 Athenticated sql inejection via sort_by and sort_attr parameters to CVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters

Thanks to Oliver Gruskovnjak from Salesforce, who found and reported the issue to .

Actions
Copy link
 #5

Updated by David Davis about 8 years ago

Actions
Copy link
 #6

Updated by Justin Sherrill about 8 years ago

  • translation missing: en.field_release set to 86
Actions
Copy link
 #7

Updated by Justin Sherrill about 8 years ago

ACK from me on 2.4 patch

Actions
Copy link
 #8

Updated by Eric Helms about 8 years ago

ACK for the master patch testing and review, I think this means we have reviewed all required patches and can start the coordination process for release with Red Hat.

Actions
Copy link
 #9

Updated by Justin Sherrill almost 8 years ago

  • Private changed from Yes to No
Actions
Copy link
 #10

Updated by The Foreman Bot almost 8 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/6051 added
Actions
Copy link
 #11

Updated by Justin Sherrill almost 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #12

Updated by Zach Huntington-Meath almost 8 years ago

  • Bugzilla link set to 1350803
Actions
Copy link

Also available in: Atom PDF