Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22718

SQL injection in short form select requests through the script query API

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      XWIKI-22691 describes a way to go "out of" the HQL request to add any other native requests after the first select statement.

      This is not possible with the secure query manager (mainly because it simply fails to parse a statement which contains such a hack). Unfortunately, like in the case of the query REST resource for XWIKI-22691, the secure query manager is not applied when using short form queries.

      For example, the following allow anyone with just scrip right to get all the values from the xwikistrings table (where xobject String properties are stored):

      {{velocity}}
$services.query.hql("where 1<>'1\'' union select CONCAT(XWS_NAME,""."",XWS_VALUE) from xwikistrings #'").execute()
{{/velocity}}

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-22953 Error unexpected token from when statistics module is enabled

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-22691 SQL injection in query endpoint of REST API

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              tmortagne Thomas Mortagne
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: