Re: [Dspace-tech] Security vulnerability - Blind SQL injection

[Hilton Gibson]

On 30 May 2014 03:32, Koh Kim Boon koh_kim_b...@sp.edu.sg wrote:

 Recent my dspace server had a security scan and one of the vulnerabilities
 listed in blind sql injection.


​Hi Koh

Can you tell us exactly the nature of the security scan

Thanks.​


*Hilton Gibson*
Ubuntu Linux Systems Administrator
JS Gericke Library
Room 1025D
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa

Tel: +27 21 808 4100 | Cell: +27 84 646 4758
http://scholar.sun.ac.za
http://bit.ly/goodir
http://library.sun.ac.za
http://za.linkedin.com/in/hiltongibson
--
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Security vulnerability - Blind SQL injection

[Koh Kim Boon]

Hi

As we are a government related agency, our IT agency does a regular security 
scan to check for weakness or vulnerabilities.

Koh Kim Boon
Department of Information and Digital Technology (Library Solutions)
500 Dover Road, Singapore 139651
DID: 67721129
Tel: 67721160
Fax: 61121969
Email: koh_kim_b...@sp.edu.sgmailto:koh_kim_b...@sp.edu.sg

From: Hilton Gibson [mailto:hilton.gib...@gmail.com]
Sent: Friday, 30 May 2014 4:10 PM
To: Koh Kim Boon
Cc: dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Security vulnerability - Blind SQL injection


On 30 May 2014 03:32, Koh Kim Boon 
koh_kim_b...@sp.edu.sgmailto:koh_kim_b...@sp.edu.sg wrote:
Recent my dspace server had a security scan and one of the vulnerabilities 
listed in blind sql injection.

​Hi Koh

Can you tell us exactly the nature of the security scan

Thanks.​


Hilton Gibson
Ubuntu Linux Systems Administrator
JS Gericke Library
Room 1025D
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa

Tel: +27 21 808 4100 | Cell: +27 84 646 4758
http://scholar.sun.ac.za
http://bit.ly/goodir
http://library.sun.ac.za
http://za.linkedin.com/in/hiltongibson
--
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Security vulnerability - Blind SQL injection

[Pottinger, Hardy J.]

Hi, before this conversation goes any further, we have a system to deal with 
bug reports, and we take them very seriously. Please submit a detailed bug 
report, including steps to reproduce the error, to

https://jira.duraspace.org/browse/DS

Thanks!

PS, I would be very surprised if any JDBC-based webapp ever contained an SQL 
injection error, as there is very good protection from that in those libraries.

Sent from my NOOK

Koh Kim Boon koh_kim_b...@sp.edu.sg wrote:


Hi

As we are a government related agency, our IT agency does a regular security 
scan to check for weakness or vulnerabilities.

Koh Kim Boon
Department of Information and Digital Technology (Library Solutions)
500 Dover Road, Singapore 139651
DID: 67721129
Tel: 67721160
Fax: 61121969
Email: koh_kim_b...@sp.edu.sgmailto:koh_kim_b...@sp.edu.sg

From: Hilton Gibson [mailto:hilton.gib...@gmail.com]
Sent: Friday, 30 May 2014 4:10 PM
To: Koh Kim Boon
Cc: dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Security vulnerability - Blind SQL injection


On 30 May 2014 03:32, Koh Kim Boon 
koh_kim_b...@sp.edu.sgmailto:koh_kim_b...@sp.edu.sg wrote:
Recent my dspace server had a security scan and one of the vulnerabilities 
listed in blind sql injection.

​Hi Koh

Can you tell us exactly the nature of the security scan

Thanks.​


Hilton Gibson
Ubuntu Linux Systems Administrator
JS Gericke Library
Room 1025D
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa

Tel: +27 21 808 4100 | Cell: +27 84 646 4758
http://scholar.sun.ac.za
http://bit.ly/goodir
http://library.sun.ac.za
http://za.linkedin.com/in/hiltongibson
--
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Security vulnerability - Blind SQL injection

[emilio lorenzo]

Hi
a couple of weeks ago, we asked about this kind of vulnerabilities  in 
this messge

http://dspace.2283337.n4.nabble.com/SQL-injection-attacks-td4673013.html

We were notified by our gubernamental IT security agency about the 
recurrence of this attack (apparently without success) to one of the 
DSPace installation that our company supports.
We asked for an update  of 
http://dspace.2283337.n4.nabble.com/Dspace-tech-DSpace-and-Cross-site-scripting-SQL-Injection-attack-vulnerabilities-td3276960.html, 
but we didn´t consider to fill a JIRA report since the attacks were 
unsuccessful.


Regards



El 30/05/2014 13:01, Pottinger, Hardy J. escribió:

Hi, before this conversation goes any further, we have a system to deal with 
bug reports, and we take them very seriously. Please submit a detailed bug 
report, including steps to reproduce the error, to

https://jira.duraspace.org/browse/DS

Thanks!

PS, I would be very surprised if any JDBC-based webapp ever contained an SQL 
injection error, as there is very good protection from that in those libraries.

Sent from my NOOK

Koh Kim Boon koh_kim_b...@sp.edu.sg wrote:

Hi

As we are a government related agency, our IT agency does a regular 
security scan to check for weakness or vulnerabilities.


*/Koh Kim Boon/*

*Department of Information and Digital Technology (Library Solutions)*

500 Dover Road, Singapore 139651

_DID: 67721129_

Tel: 67721160

Fax: 61121969

Email: koh_kim_b...@sp.edu.sg mailto:koh_kim_b...@sp.edu.sg

*From:*Hilton Gibson [mailto:hilton.gib...@gmail.com]
*Sent:* Friday, 30 May 2014 4:10 PM
*To:* Koh Kim Boon
*Cc:* dspace-tech@lists.sourceforge.net
*Subject:* Re: [Dspace-tech] Security vulnerability - Blind SQL injection

On 30 May 2014 03:32, Koh Kim Boon koh_kim_b...@sp.edu.sg 
mailto:koh_kim_b...@sp.edu.sg wrote:


Recent my dspace server had a security scan and one of the 
vulnerabilities listed in blind sql injection.


Hi Koh

Can you tell us exactly the nature of the security scan

Thanks.



*Hilton Gibson*

Ubuntu Linux Systems Administrator

JS Gericke Library

Room 1025D

Stellenbosch University

Private Bag X5036

Stellenbosch

7599

South Africa

Tel: +27 21 808 4100 | Cell: +27 84 646 4758

http://scholar.sun.ac.za

http://bit.ly/goodir

http://library.sun.ac.za

http://za.linkedin.com/in/hiltongibson



--
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet


___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette


--
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Security vulnerability - Blind SQL injection

[helix84]

Hi Koh Kim Boon,

by all means, I invite you to submit a Jira bug with the security flag,
where more DSpace commiters will take a look at the issue and evaluate it.
Here is my investigation:

This type of test tests for SQL injection attack by adding an expression to
URL parameters, that - if processed by a SQL database - will return an
error. The assumption is that such SQL error will render a different HTML
output than a valid query. The tool will then verify the resulting HTML
where no error is expected and where the error is expected. If such a
difference is found, a possible SQL injection vulnerability is reported.

Therefore I constructed 2 queries on my test instance. I tested with DSpace
master, DSpace 4.1 and DSpace 1.8.2:

curl --data query=xxx http://demo.dspace.org/xmlui/handle/10673/1/discover
 2

curl --data
query=10%27%20OR%20%2716123%27=%271612310%27%20AND%20%2716123%27=%2716124
http://demo.dspace.org/xmlui/handle/10673/1/discover  3

Both these queries are supposed to return an empty result set. The
difference between the HTML replies indicate only a difference in query
parameters, nothing else (plus, in case of DSpace 4 there's a Did you
mean suggestion which is likely to trigger this kind of alarm, but is not
present in DSpace 1.8):

--- 2   2014-05-30 14:03:23.0 +0200+++ 3   2014-05-30
14:03:42.0 +0200@@ -137,10 +137,14 @@
 ol
 li class=ds-form-item
 div class=ds-form-content-input
id=aspect_discovery_SimpleSearch_field_query class=ds-text-field
name=query type=text value=xxx /+input
id=aspect_discovery_SimpleSearch_field_query class=ds-text-field
name=query type=text value=10' OR '16123'='1612310' AND
'16123'='16124 /
 input xmlns:i18n=http://apache.org/cocoon/i18n/2.1;
id=aspect_discovery_SimpleSearch_field_submit class=ds-button-field
search-icon name=submit type=submit value=Go /
 /div
 /li+li id=aspect_discovery_SimpleSearch_item_did-you-mean
class=ds-form-item didYouMean+div class=ds-form-contentDid you
mean: a xmlns:i18n=http://apache.org/cocoon/i18n/2.1;
xmlns=http://www.w3.org/1999/xhtml;
href=discover?rpp=10amp;page=1amp;query=10' OR '1612'='162010' AND
'1612'='1612amp;group_by=noneamp;e+/div+/li
 li class=ds-form-item last
 div class=ds-form-content
 a href=display-filtersAdd filters/a@@ -189,14 +193,14 @@
 /table
 /div
 p id=aspect_discovery_SimpleSearch_p_hidden-fields
class=ds-paragraph hidden-input
id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field
name=query type=hidden value=xxx /+input
id=aspect_discovery_SimpleSearch_field_query class=ds-hidden-field
name=query type=hidden value=10' OR '16123'='1612310' AND
'16123'='16124 /
 /p
 /form
 /div
 form id=aspect_discovery_SimpleSearch_div_main-form
class=ds-interactive-div  action=/xmlui/handle/10673/1/discover
method=post onsubmit=javascript:tSubmit(this);
 p id=aspect_discovery_SimpleSearch_p_hidden-fields
class=ds-paragraph hidden
 input id=aspect_discovery_SimpleSearch_field_search-result
class=ds-hidden-field name=search-result type=hidden
value=true /-input id=aspect_discovery_SimpleSearch_field_query
class=ds-hidden-field name=query type=hidden value=xxx
/+input id=aspect_discovery_SimpleSearch_field_query
class=ds-hidden-field name=query type=hidden value=10' OR
'16123'='1612310' AND '16123'='16124 /
 input id=aspect_discovery_SimpleSearch_field_current-scope
class=ds-hidden-field name=current-scope type=hidden
value=10673/1 /
 input id=aspect_discovery_SimpleSearch_field_rpp
class=ds-hidden-field name=rpp type=hidden value=10 /
 input id=aspect_discovery_SimpleSearch_field_sort_by
class=ds-hidden-field name=sort_by type=hidden value=score /



This leads me to dismiss this report as a false alarm.


My second reason to believe this is a non-issue is that the /discover
endpoint doesn't use its parameters to construct a SQL query, it constructs
a Solr query instead. A Solr query injection vulnerability is conceivable,
but very limited in impact - both in scope and duration of its effects.

Here are the XMLUI aspects that process such URL and thus have access to
the query parameter:

https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/resources/aspects/Discovery/sitemap.xmap#L149

https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/aspect/discovery/SidebarFacetsTransformer.java
https://github.com/DSpace/DSpace/tree/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/aspect/discovery/SimpleSearch.java
https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/IncludePageMeta.java


Again, I invite to you file the bug report to stimulate more independent
review in case any of my assumptions are wrong.


Regards,
~~helix84

Compulsory reading: DSpace Mailing List Etiquette
https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
--
Time is money. Stop wasting it! Get your web API in 5 minutes.

Re: [Dspace-tech] Security vulnerability - Blind SQL injection

[Tim Donohue]

Hi All,

First, thanks for the very thorough review, helix84! I've also done a 
review this morning. As far as I can tell, helix84's conclusions look to 
be correct. I also haven't been able to find any way to actually perform 
a successful SQL injection via the reported methods.

However, Koh Kim Boon, if you or anyone at your institution sees a flaw 
in our conclusions, or if we've misunderstood anything, please do let us 
know.

As two of our Committers mentioned (Hardy  helix84), we take any 
security vulnerability reports very seriously. If you or anyone else 
notices a possible security vulnerability, please send it our way. You 
are also welcome to email me (tdono...@duraspace.org) directly (or any 
of our Committers [1]), if it's an issue you'd rather not make 
immediately public. The Committers have a private listserv which is used 
to quickly analyze and patch such security issues when they arise (and 
once fixed, we will publicly report the security issue along with the 
patch).

If you have any questions, let us know!

Thanks,

Tim Donohue
Technical Lead for DSpace  DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org


[1] The list of Committers is at: 
https://wiki.duraspace.org/display/DSPACE/DSpaceContributors

On 5/30/2014 7:17 AM, helix84 wrote:
 Hi Koh Kim Boon,

 by all means, I invite you to submit a Jira bug with the security flag,
 where more DSpace commiters will take a look at the issue and evaluate
 it. Here is my investigation:

 This type of test tests for SQL injection attack by adding an expression
 to URL parameters, that - if processed by a SQL database - will return
 an error. The assumption is that such SQL error will render a different
 HTML output than a valid query. The tool will then verify the resulting
 HTML where no error is expected and where the error is expected. If such
 a difference is found, a possible SQL injection vulnerability is reported.

 Therefore I constructed 2 queries on my test instance. I tested with
 DSpace master, DSpace 4.1 and DSpace 1.8.2:

 curl --data query=xxx
 http://demo.dspace.org/xmlui/handle/10673/1/discover  2

 curl --data
 query=10%27%20OR%20%2716123%27=%271612310%27%20AND%20%2716123%27=%2716124
 http://demo.dspace.org/xmlui/handle/10673/1/discover  3

 Both these queries are supposed to return an empty result set. The
 difference between the HTML replies indicate only a difference in query
 parameters, nothing else (plus, in case of DSpace 4 there's a Did you
 mean suggestion which is likely to trigger this kind of alarm, but is
 not present in DSpace 1.8):


 --- 2   2014-05-30 14:03:23.0 +0200
 +++ 3   2014-05-30 14:03:42.0 +0200
 @@ -137,10 +137,14 @@
   ol
   li class=ds-form-item
   div class=ds-form-content
 -input id=aspect_discovery_SimpleSearch_field_query class=ds-text-field 
 name=query type=text value=xxx /
 +input id=aspect_discovery_SimpleSearch_field_query class=ds-text-field 
 name=query type=text value=10' OR '16123'='1612310' AND '16123'='16124 
 /
   input xmlns:i18n=http://apache.org/cocoon/i18n/2.1; 
 id=aspect_discovery_SimpleSearch_field_submit class=ds-button-field 
 search-icon name=submit type=submit value=Go /
   /div
   /li
 +li id=aspect_discovery_SimpleSearch_item_did-you-mean class=ds-form-item 
 didYouMean
 +div class=ds-form-contentDid you mean: a 
 xmlns:i18n=http://apache.org/cocoon/i18n/2.1; 
 xmlns=http://www.w3.org/1999/xhtml; 
 href=discover?rpp=10amp;page=1amp;query=10' OR '1612'='162010' AND 
 '1612'='1612amp;group_by=noneamp;e
 +/div
 +/li
   li class=ds-form-item last
   div class=ds-form-content
   a href=display-filtersAdd filters/a
 @@ -189,14 +193,14 @@
   /table
   /div
   p id=aspect_discovery_SimpleSearch_p_hidden-fields class=ds-paragraph 
 hidden
 -input id=aspect_discovery_SimpleSearch_field_query 
 class=ds-hidden-field name=query type=hidden value=xxx /
 +input id=aspect_discovery_SimpleSearch_field_query 
 class=ds-hidden-field name=query type=hidden value=10' OR 
 '16123'='1612310' AND '16123'='16124 /
   /p
   /form
   /div
   form id=aspect_discovery_SimpleSearch_div_main-form 
 class=ds-interactive-div  action=/xmlui/handle/10673/1/discover 
 method=post onsubmit=javascript:tSubmit(this);
   p id=aspect_discovery_SimpleSearch_p_hidden-fields class=ds-paragraph 
 hidden
   input id=aspect_discovery_SimpleSearch_field_search-result 
 class=ds-hidden-field name=search-result type=hidden value=true /
 -input id=aspect_discovery_SimpleSearch_field_query 
 class=ds-hidden-field name=query type=hidden value=xxx /
 +input id=aspect_discovery_SimpleSearch_field_query 
 class=ds-hidden-field name=query type=hidden value=10' OR 
 '16123'='1612310' AND '16123'='16124 /
   input id=aspect_discovery_SimpleSearch_field_current-scope 
 class=ds-hidden-field name=current-scope type=hidden value=10673/1 /
   input id=aspect_discovery_SimpleSearch_field_rpp class=ds-hidden-field 
 name=rpp type=hidden value=10 /
   input id=aspect_discovery_SimpleSearch_field_sort_by