[ZendTo] Potential SQL injection vulnerability?

Jules Jules at Zend.To
Fri Jul 2 09:18:15 BST 2021


Hi Mark,

Thanks for that more detailed analysis.

All changelocale.php does with the getdata/postdata input is put it into 
$_GET and $_POST of the script that rendered the page (having switched 
language). All the checking of the GET/POST data is done by the other 
scripts. So if there are no problems with the input handling of the 
other scripts, changelocale can't add any problems. Yes, its HTML output 
will mirror its input (including GET/POST parameters) but it doesn't 
actually do anything itself with that data, it just passes it through.

So I still think this is a false positive.

Cheers,
Jules.

On 30/06/2021 13:10, Sangster, Mark via ZendTo wrote:
>
> Hello,
>
> I tested this myself…
>
> Visiting: <site>/pickup.php?getdata=[123]
>
> Results in this in the source: ‘<input type="hidden" name="getdata" 
> id="getdata" value="{"getdata":"[123]"}"/>'+
>
> So, whilst pickup.php doesn’t use it the variable, it does cause it to 
> be set in the <input> which would then POST to changelocale.php via JS.
>
> It is also possible to set the postdata variable for example with curl:
>
> $ curl -s --data "postdata=[123]" https://<site> /pickup.php | grep 123
>
> '<input type="hidden" name="postdata" id="postdata" 
> value="{"postdata":"[123]","auth":"0fbecdfffe9da3c642a74605325c944b"}"/>');
>
> The data is encoded but it seems like it is normally encoded as it is 
> (noting the auth). It might be feasible to craft something to impact 
> changelocale.php depending on how it handles sanitising the 
> getdata/postdata input.
>
> If it is unexpected to accept input from GET/POST to pickup.php, then 
> it shouldn’t be set and passed to changelocale.php.
>
> I presume the detection it made was simply that the submitted string 
> appears in the source.
>
> Cheers
>
> Mark
>
> *From:*ZendTo <zendto-bounces at zend.to> *On Behalf Of *Jules via ZendTo
> *Sent:* 30 June 2021 12:02
> *To:* ZendTo Users <zendto at zend.to>
> *Cc:* Jules <Jules at Zend.To>
> *Subject:* Re: [ZendTo] Potential SQL injection vulnerability?
>
> CAUTION: External email. Ensure this message is from a trusted source 
> before clicking links/attachments. If you are concerned forward this 
> email to spam at abdn.ac.uk
>
> Hi Neil,
>
> Curious.
>
> What I can definitely say is that "pickup.php" does not have a 
> parameter called "getdata", so you can set that to anything you like 
> and it shouldn't have any effect whatsoever.
>
> "changelocale.php" does, but that's not where they found any problem.
>
> And even in "changelocale.php" it isn't recognised as a GET parameter, 
> only a POST. So again, setting it in the URL can't have any effect.
>
> So I would say this is a false positive.
>
> Cheers,
> Jules.
>
> On 24/06/2021 09:54, Neil via ZendTo wrote:
>
>     Hello Jules
>
>     I’ve conducted an OWASP web application test against our
>     installation of zend.to, using ZAP (https://www.zaproxy.org).
>
>     It has indicated one potential high risk, as a potential SQL
>     injection vulnerability.
>
>     Do you have any thoughts on this, and whether it is a false
>     positive, please?
>
>     Best wishes
>
>
>     Neil
>
>     Description
>
>     	
>
>     SQL injection may be possible.
>
>
>     URL
>
>     	
>
>     https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22aut
>     h%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%
>     5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getput=&goingto=&gothere=pickup.php&locale=&postdata=%7B%22auth%22%3A%22%22%7D&postdata=%7B%22auth%22%3A%2295ca1f5b66aba21cc2698ead33d03285%22%7D&postdata=%7B%22auth%22%3A%22a6d31fa9ec46a6cffb3668e43af5c28b%22%7D&template=claimid_box.tpl
>     <https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5%20c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb366%208e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22>
>
>     Method
>
>     	
>
>     GET
>
>     Parameter
>
>     	
>
>     getdata
>
>     Attack
>
>     	
>
>     []' AND '1'='1
>
>     URL
>
>     	
>
>     https://filetransfer.decoded.legal/pickup.php
>
>     Method
>
>     	
>
>     POST
>
>     Parameter
>
>     	
>
>     claimID
>
>     Attack
>
>     	
>
>     ZAP" AND "1"="1" --
>
>     Instances
>
>     	
>
>     2
>
>     Solution
>
>     	
>
>     Do not trust client side input, even if there is client side
>     validation in place.
>
>     In general, type check all data on the server side.
>
>     If the application uses JDBC, use PreparedStatement or
>     CallableStatement, with parameters passed by '?'
>
>     If the application uses ASP, use ADO Command Objects with strong
>     type checking and parameterized queries.
>
>     If database Stored Procedures can be used, use them.
>
>     Do *not* concatenate strings into queries in the stored procedure,
>     or use 'exec', 'exec immediate', or equivalent functionality!
>
>     Do not create dynamic SQL queries using simple string concatenation.
>
>     Escape all data received from the client.
>
>     Apply an 'allow list' of allowed characters, or a 'deny list' of
>     disallowed characters in user input.
>
>     Apply the principle of least privilege by using the least
>     privileged database user possible.
>
>     In particular, avoid using the 'sa' or 'db-owner' database users.
>     This does not eliminate SQL injection, but minimizes its impact.
>
>     Grant the minimum database access that is necessary for the
>     application.
>
>     Other information
>
>     	
>
>     The page results were successfully manipulated using the boolean
>     conditions [[]' AND '1'='1] and [[]' AND '1'='2]
>
>     The parameter value being modified was NOT stripped from the HTML
>     output for the purposes of the comparison
>
>     Data was returned for the original parameter.
>
>     The vulnerability was detected by successfully restricting the
>     data originally returned, by manipulating the parameter
>
>
>
>     _______________________________________________
>
>     ZendTo mailing list
>
>     ZendTo at zend.to
>
>     http://jul.es/mailman/listinfo/zendto
>
>
>
> Jules
> -- 
> Julian Field MEng CEng CITP MBCS MIEEE MACM
> 'Once is happenstance, twice is coincidence, three times is enemy
>   action.' - Ian Fleming
> www.Zend.To  <http://www.Zend.To>
> Twitter: @JulesFM
>
>
> The University of Aberdeen is a charity registered in Scotland, No 
> SC013683.
> Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, 
> Àir. SC013683.
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'We are such stuff as dreams are made on.
  And our little life is rounded with a sleep.'
    - Starfleet Admiral Jean-Luc Picard (retired)

www.Zend.To
Twitter: @JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20210702/df3db5e9/attachment-0001.html>


More information about the ZendTo mailing list