[ZendTo] Potential SQL injection vulnerability?
Jules
Jules at Zend.To
Wed Jun 30 12:01:59 BST 2021
Hi Neil,
Curious.
What I can definitely say is that "pickup.php" does not have a parameter
called "getdata", so you can set that to anything you like and it
shouldn't have any effect whatsoever.
"changelocale.php" does, but that's not where they found any problem.
And even in "changelocale.php" it isn't recognised as a GET parameter,
only a POST. So again, setting it in the URL can't have any effect.
So I would say this is a false positive.
Cheers,
Jules.
On 24/06/2021 09:54, Neil via ZendTo wrote:
> Hello Jules
>
> I’ve conducted an OWASP web application test against our installation
> of zend.to, using ZAP (https://www.zaproxy.org).
>
> It has indicated one potential high risk, as a potential SQL injection
> vulnerability.
>
> Do you have any thoughts on this, and whether it is a false positive,
> please?
>
> Best wishes
>
> Neil
>
>
> Description
>
> SQL injection may be possible.
>
>
> URL
> https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getput=&goingto=&gothere=pickup.php&locale=&postdata=%7B%22auth%22%3A%22%22%7D&postdata=%7B%22auth%22%3A%2295ca1f5b66aba21cc2698ead33d03285%22%7D&postdata=%7B%22auth%22%3A%22a6d31fa9ec46a6cffb3668e43af5c28b%22%7D&template=claimid_box.tpl
> <https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getput=&goingto=&gothere=pickup.php&locale=&postdata=%7B%22auth%22%3A%22%22%7D&postdata=%7B%22auth%22%3A%2295ca1f5b66aba21cc2698ead33d03285%22%7D&postdata=%7B%22auth%22%3A%22a6d31fa9ec46a6cffb3668e43af5c28b%22%7D&template=claimid_box.tpl>
>
> Method GET
> Parameter getdata
> Attack []' AND '1'='1
> URL https://filetransfer.decoded.legal/pickup.php
> Method POST
> Parameter claimID
> Attack ZAP" AND "1"="1" --
> Instances 2
> Solution
>
> Do not trust client side input, even if there is client side
> validation in place.
>
> In general, type check all data on the server side.
>
> If the application uses JDBC, use PreparedStatement or
> CallableStatement, with parameters passed by '?'
>
> If the application uses ASP, use ADO Command Objects with strong type
> checking and parameterized queries.
>
> If database Stored Procedures can be used, use them.
>
> Do *not* concatenate strings into queries in the stored procedure, or
> use 'exec', 'exec immediate', or equivalent functionality!
>
> Do not create dynamic SQL queries using simple string concatenation.
>
> Escape all data received from the client.
>
> Apply an 'allow list' of allowed characters, or a 'deny list' of
> disallowed characters in user input.
>
> Apply the principle of least privilege by using the least privileged
> database user possible.
>
> In particular, avoid using the 'sa' or 'db-owner' database users. This
> does not eliminate SQL injection, but minimizes its impact.
>
> Grant the minimum database access that is necessary for the application.
>
> Other information
>
> The page results were successfully manipulated using the boolean
> conditions [[]' AND '1'='1] and [[]' AND '1'='2]
>
> The parameter value being modified was NOT stripped from the HTML
> output for the purposes of the comparison
>
> Data was returned for the original parameter.
>
> The vulnerability was detected by successfully restricting the data
> originally returned, by manipulating the parameter
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Once is happenstance, twice is coincidence, three times is enemy
action.' - Ian Fleming
www.Zend.To
Twitter: @JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20210630/387538ce/attachment-0001.html>
More information about the ZendTo
mailing list