Bug #14381
closedCVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters
Description
The sort_by and sort_attr parameters to any controller that uses scoped_search searching are not properly sanitized and thus can be exploited to perform sql injection.
On the current release (2.4) most any api index call is vulnerable such as:
/katello/api/v2/products
/katello/api/v2/systems
/katello/api/v2/repositories
On older releases (2.3) only the errata api is affected:
/katello/api/v2/errata
An example showing the injection is:
curl -k -u admin:changeme -X GET https://`hostname`/katello/api/v2/errata?sort_by=id\&sort_order=ASC\'
{"displayMessage":"PGError: ERROR: unterminated quoted string at or near \"',
I was not able to cause an update via this exploit, as it appeared that active record was handling part of the exploit (although i may have just not been talented enough). The reporter was able to retrieve additional information from the database as a result though.
Files
Updated by Justin Sherrill over 8 years ago
- File katello_sqli.py katello_sqli.py added
Reproducer script attached
Updated by Dominic Cleal over 8 years ago
- Subject changed from CVE-2016-3072 Athenticated sql inejection via sort_by and sort_attr parameters to CVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters
Thanks to Oliver Gruskovnjak from Salesforce, who found and reported the issue to foreman-security@googlegroups.com.
Updated by David Davis over 8 years ago
- File katello-2.4.patch katello-2.4.patch added
Updated by David Davis over 8 years ago
- File katello-2.3.patch katello-2.3.patch added
Updated by Justin Sherrill over 8 years ago
- Translation missing: en.field_release set to 86
Updated by Eric Helms over 8 years ago
ACK for the master patch testing and review, I think this means we have reviewed all required patches and can start the coordination process for release with Red Hat.
Updated by The Foreman Bot over 8 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/Katello/katello/pull/6051 added
Updated by Justin Sherrill over 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset katello|e3abf55352ba98c1dc73057677e6299617767dd0.
Updated by Zach Huntington-Meath about 8 years ago
- Bugzilla link set to 1350803