Re: [Dspace-tech] Security vulnerability - Blind SQL injection
On 30 May 2014 03:32, Koh Kim Boon koh_kim_b...@sp.edu.sg wrote: Recent my dspace server had a security scan and one of the vulnerabilities listed in blind sql injection. Hi Koh Can you tell us exactly the nature of the security scan Thanks. *Hilton Gibson* Ubuntu Linux Systems Administrator JS Gericke Library Room 1025D Stellenbosch University Private Bag X5036 Stellenbosch 7599 South Africa Tel: +27 21 808 4100 | Cell: +27 84 646 4758 http://scholar.sun.ac.za http://bit.ly/goodir http://library.sun.ac.za http://za.linkedin.com/in/hiltongibson -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Security vulnerability - Blind SQL injection
Hi As we are a government related agency, our IT agency does a regular security scan to check for weakness or vulnerabilities. Koh Kim Boon Department of Information and Digital Technology (Library Solutions) 500 Dover Road, Singapore 139651 DID: 67721129 Tel: 67721160 Fax: 61121969 Email: koh_kim_b...@sp.edu.sgmailto:koh_kim_b...@sp.edu.sg From: Hilton Gibson [mailto:hilton.gib...@gmail.com] Sent: Friday, 30 May 2014 4:10 PM To: Koh Kim Boon Cc: dspace-tech@lists.sourceforge.net Subject: Re: [Dspace-tech] Security vulnerability - Blind SQL injection On 30 May 2014 03:32, Koh Kim Boon koh_kim_b...@sp.edu.sgmailto:koh_kim_b...@sp.edu.sg wrote: Recent my dspace server had a security scan and one of the vulnerabilities listed in blind sql injection. Hi Koh Can you tell us exactly the nature of the security scan Thanks. Hilton Gibson Ubuntu Linux Systems Administrator JS Gericke Library Room 1025D Stellenbosch University Private Bag X5036 Stellenbosch 7599 South Africa Tel: +27 21 808 4100 | Cell: +27 84 646 4758 http://scholar.sun.ac.za http://bit.ly/goodir http://library.sun.ac.za http://za.linkedin.com/in/hiltongibson -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Security vulnerability - Blind SQL injection
Hi, before this conversation goes any further, we have a system to deal with bug reports, and we take them very seriously. Please submit a detailed bug report, including steps to reproduce the error, to https://jira.duraspace.org/browse/DS Thanks! PS, I would be very surprised if any JDBC-based webapp ever contained an SQL injection error, as there is very good protection from that in those libraries. Sent from my NOOK Koh Kim Boon koh_kim_b...@sp.edu.sg wrote: Hi As we are a government related agency, our IT agency does a regular security scan to check for weakness or vulnerabilities. Koh Kim Boon Department of Information and Digital Technology (Library Solutions) 500 Dover Road, Singapore 139651 DID: 67721129 Tel: 67721160 Fax: 61121969 Email: koh_kim_b...@sp.edu.sgmailto:koh_kim_b...@sp.edu.sg From: Hilton Gibson [mailto:hilton.gib...@gmail.com] Sent: Friday, 30 May 2014 4:10 PM To: Koh Kim Boon Cc: dspace-tech@lists.sourceforge.net Subject: Re: [Dspace-tech] Security vulnerability - Blind SQL injection On 30 May 2014 03:32, Koh Kim Boon koh_kim_b...@sp.edu.sgmailto:koh_kim_b...@sp.edu.sg wrote: Recent my dspace server had a security scan and one of the vulnerabilities listed in blind sql injection. Hi Koh Can you tell us exactly the nature of the security scan Thanks. Hilton Gibson Ubuntu Linux Systems Administrator JS Gericke Library Room 1025D Stellenbosch University Private Bag X5036 Stellenbosch 7599 South Africa Tel: +27 21 808 4100 | Cell: +27 84 646 4758 http://scholar.sun.ac.za http://bit.ly/goodir http://library.sun.ac.za http://za.linkedin.com/in/hiltongibson -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Security vulnerability - Blind SQL injection
Hi a couple of weeks ago, we asked about this kind of vulnerabilities in this messge http://dspace.2283337.n4.nabble.com/SQL-injection-attacks-td4673013.html We were notified by our gubernamental IT security agency about the recurrence of this attack (apparently without success) to one of the DSPace installation that our company supports. We asked for an update of http://dspace.2283337.n4.nabble.com/Dspace-tech-DSpace-and-Cross-site-scripting-SQL-Injection-attack-vulnerabilities-td3276960.html, but we didn´t consider to fill a JIRA report since the attacks were unsuccessful. Regards El 30/05/2014 13:01, Pottinger, Hardy J. escribió: Hi, before this conversation goes any further, we have a system to deal with bug reports, and we take them very seriously. Please submit a detailed bug report, including steps to reproduce the error, to https://jira.duraspace.org/browse/DS Thanks! PS, I would be very surprised if any JDBC-based webapp ever contained an SQL injection error, as there is very good protection from that in those libraries. Sent from my NOOK Koh Kim Boon koh_kim_b...@sp.edu.sg wrote: Hi As we are a government related agency, our IT agency does a regular security scan to check for weakness or vulnerabilities. */Koh Kim Boon/* *Department of Information and Digital Technology (Library Solutions)* 500 Dover Road, Singapore 139651 _DID: 67721129_ Tel: 67721160 Fax: 61121969 Email: koh_kim_b...@sp.edu.sg mailto:koh_kim_b...@sp.edu.sg *From:*Hilton Gibson [mailto:hilton.gib...@gmail.com] *Sent:* Friday, 30 May 2014 4:10 PM *To:* Koh Kim Boon *Cc:* dspace-tech@lists.sourceforge.net *Subject:* Re: [Dspace-tech] Security vulnerability - Blind SQL injection On 30 May 2014 03:32, Koh Kim Boon koh_kim_b...@sp.edu.sg mailto:koh_kim_b...@sp.edu.sg wrote: Recent my dspace server had a security scan and one of the vulnerabilities listed in blind sql injection. Hi Koh Can you tell us exactly the nature of the security scan Thanks. *Hilton Gibson* Ubuntu Linux Systems Administrator JS Gericke Library Room 1025D Stellenbosch University Private Bag X5036 Stellenbosch 7599 South Africa Tel: +27 21 808 4100 | Cell: +27 84 646 4758 http://scholar.sun.ac.za http://bit.ly/goodir http://library.sun.ac.za http://za.linkedin.com/in/hiltongibson -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Security vulnerability - Blind SQL injection
Hi Koh Kim Boon, by all means, I invite you to submit a Jira bug with the security flag, where more DSpace commiters will take a look at the issue and evaluate it. Here is my investigation: This type of test tests for SQL injection attack by adding an expression to URL parameters, that - if processed by a SQL database - will return an error. The assumption is that such SQL error will render a different HTML output than a valid query. The tool will then verify the resulting HTML where no error is expected and where the error is expected. If such a difference is found, a possible SQL injection vulnerability is reported. Therefore I constructed 2 queries on my test instance. I tested with DSpace master, DSpace 4.1 and DSpace 1.8.2: curl --data query=xxx http://demo.dspace.org/xmlui/handle/10673/1/discover 2 curl --data query=10%27%20OR%20%2716123%27=%271612310%27%20AND%20%2716123%27=%2716124 http://demo.dspace.org/xmlui/handle/10673/1/discover 3 Both these queries are supposed to return an empty result set. The difference between the HTML replies indicate only a difference in query parameters, nothing else (plus, in case of DSpace 4 there's a Did you mean suggestion which is likely to trigger this kind of alarm, but is not present in DSpace 1.8): --- 2 2014-05-30 14:03:23.0 +0200+++ 3 2014-05-30 14:03:42.0 +0200@@ -137,10 +137,14 @@ ol li class=ds-form-item div class=ds-form-content-input id=aspect_discovery_SimpleSearch_field_query class=ds-text-field name=query type=text value=xxx /+input id=aspect_discovery_SimpleSearch_field_query class=ds-text-field name=query type=text value=10' OR '16123'='1612310' AND '16123'='16124 / input xmlns:i18n=http://apache.org/cocoon/i18n/2.1; id=aspect_discovery_SimpleSearch_field_submit class=ds-button-field search-icon name=submit type=submit value=Go / /div /li+li id=aspect_discovery_SimpleSearch_item_did-you-mean class=ds-form-item didYouMean+div class=ds-form-contentDid you mean: a xmlns:i18n=http://apache.org/cocoon/i18n/2.1; xmlns=http://www.w3.org/1999/xhtml; href=discover?rpp=10amp;page=1amp;query=10' OR '1612'='162010' AND '1612'='1612amp;group_by=noneamp;e+/div+/li li class=ds-form-item last div class=ds-form-content a href=display-filtersAdd filters/a@@ -189,14 +193,14 @@ /table /div p id=aspect_discovery_SimpleSearch_p_hidden-fields class=ds-paragraph hidden-input id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field name=query type=hidden value=xxx /+input id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field name=query type=hidden value=10' OR '16123'='1612310' AND '16123'='16124 / /p /form /div form id=aspect_discovery_SimpleSearch_div_main-form class=ds-interactive-div action=/xmlui/handle/10673/1/discover method=post onsubmit=javascript:tSubmit(this); p id=aspect_discovery_SimpleSearch_p_hidden-fields class=ds-paragraph hidden input id=aspect_discovery_SimpleSearch_field_search-result class=ds-hidden-field name=search-result type=hidden value=true /-input id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field name=query type=hidden value=xxx /+input id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field name=query type=hidden value=10' OR '16123'='1612310' AND '16123'='16124 / input id=aspect_discovery_SimpleSearch_field_current-scope class=ds-hidden-field name=current-scope type=hidden value=10673/1 / input id=aspect_discovery_SimpleSearch_field_rpp class=ds-hidden-field name=rpp type=hidden value=10 / input id=aspect_discovery_SimpleSearch_field_sort_by class=ds-hidden-field name=sort_by type=hidden value=score / This leads me to dismiss this report as a false alarm. My second reason to believe this is a non-issue is that the /discover endpoint doesn't use its parameters to construct a SQL query, it constructs a Solr query instead. A Solr query injection vulnerability is conceivable, but very limited in impact - both in scope and duration of its effects. Here are the XMLUI aspects that process such URL and thus have access to the query parameter: https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/resources/aspects/Discovery/sitemap.xmap#L149 https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/aspect/discovery/SidebarFacetsTransformer.java https://github.com/DSpace/DSpace/tree/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/aspect/discovery/SimpleSearch.java https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/IncludePageMeta.java Again, I invite to you file the bug report to stimulate more independent review in case any of my assumptions are wrong. Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- Time is money. Stop wasting it! Get your web API in 5 minutes.
Re: [Dspace-tech] Security vulnerability - Blind SQL injection
Hi All, First, thanks for the very thorough review, helix84! I've also done a review this morning. As far as I can tell, helix84's conclusions look to be correct. I also haven't been able to find any way to actually perform a successful SQL injection via the reported methods. However, Koh Kim Boon, if you or anyone at your institution sees a flaw in our conclusions, or if we've misunderstood anything, please do let us know. As two of our Committers mentioned (Hardy helix84), we take any security vulnerability reports very seriously. If you or anyone else notices a possible security vulnerability, please send it our way. You are also welcome to email me (tdono...@duraspace.org) directly (or any of our Committers [1]), if it's an issue you'd rather not make immediately public. The Committers have a private listserv which is used to quickly analyze and patch such security issues when they arise (and once fixed, we will publicly report the security issue along with the patch). If you have any questions, let us know! Thanks, Tim Donohue Technical Lead for DSpace DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org [1] The list of Committers is at: https://wiki.duraspace.org/display/DSPACE/DSpaceContributors On 5/30/2014 7:17 AM, helix84 wrote: Hi Koh Kim Boon, by all means, I invite you to submit a Jira bug with the security flag, where more DSpace commiters will take a look at the issue and evaluate it. Here is my investigation: This type of test tests for SQL injection attack by adding an expression to URL parameters, that - if processed by a SQL database - will return an error. The assumption is that such SQL error will render a different HTML output than a valid query. The tool will then verify the resulting HTML where no error is expected and where the error is expected. If such a difference is found, a possible SQL injection vulnerability is reported. Therefore I constructed 2 queries on my test instance. I tested with DSpace master, DSpace 4.1 and DSpace 1.8.2: curl --data query=xxx http://demo.dspace.org/xmlui/handle/10673/1/discover 2 curl --data query=10%27%20OR%20%2716123%27=%271612310%27%20AND%20%2716123%27=%2716124 http://demo.dspace.org/xmlui/handle/10673/1/discover 3 Both these queries are supposed to return an empty result set. The difference between the HTML replies indicate only a difference in query parameters, nothing else (plus, in case of DSpace 4 there's a Did you mean suggestion which is likely to trigger this kind of alarm, but is not present in DSpace 1.8): --- 2 2014-05-30 14:03:23.0 +0200 +++ 3 2014-05-30 14:03:42.0 +0200 @@ -137,10 +137,14 @@ ol li class=ds-form-item div class=ds-form-content -input id=aspect_discovery_SimpleSearch_field_query class=ds-text-field name=query type=text value=xxx / +input id=aspect_discovery_SimpleSearch_field_query class=ds-text-field name=query type=text value=10' OR '16123'='1612310' AND '16123'='16124 / input xmlns:i18n=http://apache.org/cocoon/i18n/2.1; id=aspect_discovery_SimpleSearch_field_submit class=ds-button-field search-icon name=submit type=submit value=Go / /div /li +li id=aspect_discovery_SimpleSearch_item_did-you-mean class=ds-form-item didYouMean +div class=ds-form-contentDid you mean: a xmlns:i18n=http://apache.org/cocoon/i18n/2.1; xmlns=http://www.w3.org/1999/xhtml; href=discover?rpp=10amp;page=1amp;query=10' OR '1612'='162010' AND '1612'='1612amp;group_by=noneamp;e +/div +/li li class=ds-form-item last div class=ds-form-content a href=display-filtersAdd filters/a @@ -189,14 +193,14 @@ /table /div p id=aspect_discovery_SimpleSearch_p_hidden-fields class=ds-paragraph hidden -input id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field name=query type=hidden value=xxx / +input id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field name=query type=hidden value=10' OR '16123'='1612310' AND '16123'='16124 / /p /form /div form id=aspect_discovery_SimpleSearch_div_main-form class=ds-interactive-div action=/xmlui/handle/10673/1/discover method=post onsubmit=javascript:tSubmit(this); p id=aspect_discovery_SimpleSearch_p_hidden-fields class=ds-paragraph hidden input id=aspect_discovery_SimpleSearch_field_search-result class=ds-hidden-field name=search-result type=hidden value=true / -input id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field name=query type=hidden value=xxx / +input id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field name=query type=hidden value=10' OR '16123'='1612310' AND '16123'='16124 / input id=aspect_discovery_SimpleSearch_field_current-scope class=ds-hidden-field name=current-scope type=hidden value=10673/1 / input id=aspect_discovery_SimpleSearch_field_rpp class=ds-hidden-field name=rpp type=hidden value=10 / input id=aspect_discovery_SimpleSearch_field_sort_by