Alex, I'm going to put this out on twitter too. Would you like to be credited there as well? What's your twitter handle?
Best Regards, Myrle Krantz V.P., Apache Fineract On Wed, Dec 13, 2017 at 10:34 AM, Nazeer Shaik <[email protected]> wrote: > CVE-2017-5663: Apache Fineract SQL Injection Vulnerability > > Severity: Critical > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Fineract 0.6.0-incubating > Apache Fineract 0.5.0-incubating > Apache Fineract 0.4.0-incubating > > Description: > Apache Fineract exposes different REST end points to query domain specific > entities with a Query Parameter 'sqlSearch' which > is appended directly with SQL statements. A hacker/user can inject/draft > the 'sqlSearch' query parameter in such a way to > to read/update the data for which he doesn't have authorization. > > Mitigation: > All users should migrate to Apache Fineract 1.0.0 version > https://github.com/apache/fineract/tree/1.0.0 > > > Example: > A request to retrieve the Clients with displayName=Thomas GET > https://DomainName/api/v1/clients?sqlSearch=displayName='Thomas' > An attacker/user can use GET https://DomainName/api/v1/clients?sqlSearch= > or (1==1) to retrieve all clients in the system > > Credit: > This issue was discovered by Alex Ivanov > > References: > http://fineract.apache.org/ > https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report > > Regards, > Apache Fineract Team
