Project

General

Profile

Actions
Copy link

Bug #14381

closed

CVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters

Added by Justin Sherrill almost 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Justin Sherrill
Category:
Security
Target version:
Katello 3.0.0
Difficulty:
easy
Triaged:
Bugzilla link:
1350803
Pull request:
https://github.com/Katello/katello/pull/6051
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The sort_by and sort_attr parameters to any controller that uses scoped_search searching are not properly sanitized and thus can be exploited to perform sql injection.

On the current release (2.4) most any api index call is vulnerable such as:

/katello/api/v2/products
/katello/api/v2/systems
/katello/api/v2/repositories

On older releases (2.3) only the errata api is affected:

/katello/api/v2/errata

An example showing the injection is:

curl -k -u admin:changeme -X GET https://`hostname`/katello/api/v2/errata?sort_by=id\&sort_order=ASC\'

{"displayMessage":"PGError: ERROR: unterminated quoted string at or near \"',

I was not able to cause an update via this exploit, as it appeared that active record was handling part of the exploit (although i may have just not been talented enough). The reporter was able to retrieve additional information from the database as a result though.

Files

katello_sqli.py katello_sqli.py 1.89 KB Justin Sherrill, 03/29/2016 01:15 PM
katello-2.4.patch katello-2.4.patch 1.31 KB 2.4 patch David Davis, 04/07/2016 04:14 PM
katello-2.3.patch katello-2.3.patch 1.41 KB Katello 2.3 patch David Davis, 04/08/2016 11:20 AM
master.patch master.patch 2.26 KB master/3.0 patch David Davis, 04/11/2016 01:39 PM
Actions
Copy link

Also available in: Atom PDF