Unauthenticated SQL Injection is possible
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Critical
|
Unassigned | ||
3.8 |
Fix Released
|
Critical
|
Unassigned | ||
3.9 |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Likely affects all Evergreen versions that support search term highlighting
A bug report is coming soon for an overall review all of our use of the pgplsql EXECUTE keyword, but this has higher urgency due to the ability to trigger it without an authtoken.
Galen found that the following srfsh request will allow you to put essentially whatever you like between the '')); and SELECT, in this case a privilege escalation:
request open-ils.search open-ils.
Which also returns normal looking results. I haven't taken the time to encode this in such a way that you can just throw it at a server via /gateway, but one has to assume it's possible, which is essentially game over.
The open-ils.
EXECUTE 'SELECT ' || tsq_map INTO tsq_hstore;
So if you know how to correctly wrap your payload (see above) you can run whatever.
Changed in evergreen: | |
status: | New → Confirmed |
Changed in evergreen: | |
milestone: | none → 3.10.2 |
Changed in evergreen: | |
status: | Confirmed → Fix Released |
information type: | Private Security → Public Security |
Noting with respect to the example that search query part bit could be made simpler; the main thing with respect to pulling off the exploit is ensuring that it doesn't cause search. highlight_ display_ fields( ) to abort with an error.