Development

#496 (SQL Injection Vulnerability when using sfPropelAdminGenerator)

You must first sign up to be able to contribute.

Ticket #496 (closed defect: fixed)

Opened 6 years ago

Last modified 5 years ago

SQL Injection Vulnerability when using sfPropelAdminGenerator

Reported by: symfony@jason.backtick.org Assigned to:
Priority: critical Milestone: 1.0.0
Component: Version: 0.6.3
Keywords: Cc:
Qualification:

Description

It seems I am able to perform SQL injection via the sort parameter to sfPropelAdminGenerator pages.

I created an admin page using "symfony propel-init-admin" and then I was able to inject SQL by using URLs such as:

http://example.com/backend_dev.php/comment/list/sort/created_on;insert%20into%20user_account%20(username,password)%20values('test','test');select%20*%20from%20comment%20order%20by%20created_on/type/asc

I'll leave it up to you guys to decide if this is a bug in whatever is behind Criteria's addAscendingOrderByColumn/addDescendingOrderByColumn (which should possibly be escaping the field name before generating the SQL statement) or if it's a job for processSort in the autogenerated actions.class.php to validate the input. Doing both is probably the safest.

This has been tested on 0.6.2 using a PostgreSQL 8.x backend. The exploit was successful. I have not yet looked for any other vulnerabilities.

Change History

05/09/06 16:35:52 changed by fabien

  • milestone set to 0.6.3.

06/16/06 09:46:47 changed by fabien

  • milestone changed from 0.6.3 to 1.0.0.

06/16/06 09:46:48 changed by fabien

  • milestone changed from 0.6.4 to 0.6.3.

06/21/06 10:40:34 changed by fabien

  • status changed from new to closed.
  • resolution set to fixed.

in r1490.

I fixed it in symfony but please report the problem on the Propel trac too. Thanks.

08/05/06 15:31:07 changed by l2k

  • priority changed from major to critical.
  • status changed from closed to reopened.
  • version changed from 0.6.2 to 0.6.3.
  • resolution deleted.
  • milestone deleted.

Fix is no use. quoteIdentifier() doesn't escape special chars in the param or any other injection prevention, it just puts quotes at beginning and end.

see #801

08/29/06 16:10:35 changed by fabien

  • milestone set to 1.0.0.

08/29/06 16:10:56 changed by fabien

  • status changed from reopened to closed.
  • resolution set to fixed.

(In [1857]) fixed using peer_method parameter in generator.yml throws PropelException? (closes #845, #496)