Hi All, First, thanks for the very thorough review, helix84! I've also done a review this morning. As far as I can tell, helix84's conclusions look to be correct. I also haven't been able to find any way to actually perform a successful SQL injection via the reported methods.
However, Koh Kim Boon, if you or anyone at your institution sees a flaw in our conclusions, or if we've misunderstood anything, please do let us know. As two of our Committers mentioned (Hardy & helix84), we take any security vulnerability reports very seriously. If you or anyone else notices a possible security vulnerability, please send it our way. You are also welcome to email me (tdono...@duraspace.org) directly (or any of our Committers [1]), if it's an issue you'd rather not make immediately public. The Committers have a private listserv which is used to quickly analyze and patch such security issues when they arise (and once fixed, we will publicly report the security issue along with the patch). If you have any questions, let us know! Thanks, Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org [1] The list of Committers is at: https://wiki.duraspace.org/display/DSPACE/DSpaceContributors On 5/30/2014 7:17 AM, helix84 wrote: > Hi Koh Kim Boon, > > by all means, I invite you to submit a Jira bug with the security flag, > where more DSpace commiters will take a look at the issue and evaluate > it. Here is my investigation: > > This type of test tests for SQL injection attack by adding an expression > to URL parameters, that - if processed by a SQL database - will return > an error. The assumption is that such SQL error will render a different > HTML output than a valid query. The tool will then verify the resulting > HTML where no error is expected and where the error is expected. If such > a difference is found, a possible SQL injection vulnerability is reported. > > Therefore I constructed 2 queries on my test instance. I tested with > DSpace master, DSpace 4.1 and DSpace 1.8.2: > > curl --data "query=xxx" > http://demo.dspace.org/xmlui/handle/10673/1/discover > 2 > > curl --data > "query=10%27%20OR%20%2716123%27=%271612310%27%20AND%20%2716123%27=%2716124" > http://demo.dspace.org/xmlui/handle/10673/1/discover > 3 > > Both these queries are supposed to return an empty result set. The > difference between the HTML replies indicate only a difference in query > parameters, nothing else (plus, in case of DSpace 4 there's a "Did you > mean" suggestion which is likely to trigger this kind of alarm, but is > not present in DSpace 1.8): > > > --- 2 2014-05-30 14:03:23.000000000 +0200 > +++ 3 2014-05-30 14:03:42.000000000 +0200 > @@ -137,10 +137,14 @@ > <ol> > <li class="ds-form-item"> > <div class="ds-form-content"> > -<input id="aspect_discovery_SimpleSearch_field_query" class="ds-text-field" > name="query" type="text" value="xxx" /> > +<input id="aspect_discovery_SimpleSearch_field_query" class="ds-text-field" > name="query" type="text" value="10' OR '16123'='1612310' AND '16123'='16124" > /> > <input xmlns:i18n="http://apache.org/cocoon/i18n/2.1"; > id="aspect_discovery_SimpleSearch_field_submit" class="ds-button-field > search-icon" name="submit" type="submit" value="Go" /> > </div> > </li> > +<li id="aspect_discovery_SimpleSearch_item_did-you-mean" class="ds-form-item > didYouMean"> > +<div class="ds-form-content">Did you mean: <a > xmlns:i18n="http://apache.org/cocoon/i18n/2.1"; > xmlns="http://www.w3.org/1999/xhtml"; > href="discover?rpp=10&page=1&query=10' OR '1612'='162010' AND > '1612'='1612&group_by=none&e > +</div> > +</li> > <li class="ds-form-item last"> > <div class="ds-form-content"> > <a href="display-filters">Add filters</a> > @@ -189,14 +193,14 @@ > </table> > </div> > <p id="aspect_discovery_SimpleSearch_p_hidden-fields" class="ds-paragraph > hidden"> > -<input id="aspect_discovery_SimpleSearch_field_query" > class="ds-hidden-field" name="query" type="hidden" value="xxx" /> > +<input id="aspect_discovery_SimpleSearch_field_query" > class="ds-hidden-field" name="query" type="hidden" value="10' OR > '16123'='1612310' AND '16123'='16124" /> > </p> > </form> > </div> > <form id="aspect_discovery_SimpleSearch_div_main-form" > class="ds-interactive-div " action="/xmlui/handle/10673/1/discover" > method="post" onsubmit="javascript:tSubmit(this);"> > <p id="aspect_discovery_SimpleSearch_p_hidden-fields" class="ds-paragraph > hidden"> > <input id="aspect_discovery_SimpleSearch_field_search-result" > class="ds-hidden-field" name="search-result" type="hidden" value="true" /> > -<input id="aspect_discovery_SimpleSearch_field_query" > class="ds-hidden-field" name="query" type="hidden" value="xxx" /> > +<input id="aspect_discovery_SimpleSearch_field_query" > class="ds-hidden-field" name="query" type="hidden" value="10' OR > '16123'='1612310' AND '16123'='16124" /> > <input id="aspect_discovery_SimpleSearch_field_current-scope" > class="ds-hidden-field" name="current-scope" type="hidden" value="10673/1" /> > <input id="aspect_discovery_SimpleSearch_field_rpp" class="ds-hidden-field" > name="rpp" type="hidden" value="10" /> > <input id="aspect_discovery_SimpleSearch_field_sort_by" > class="ds-hidden-field" name="sort_by" type="hidden" value="score" /> > > > > This leads me to dismiss this report as a false alarm. > > > My second reason to believe this is a non-issue is that the /discover > endpoint doesn't use its parameters to construct a SQL query, it > constructs a Solr query instead. A Solr query injection vulnerability is > conceivable, but very limited in impact - both in scope and duration of > its effects. > > Here are the XMLUI aspects that process such URL and thus have access to > the "query" parameter: > > https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/resources/aspects/Discovery/sitemap.xmap#L149 > > https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/aspect/discovery/SidebarFacetsTransformer.java > https://github.com/DSpace/DSpace/tree/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/aspect/discovery/SimpleSearch.java > https://github.com/DSpace/DSpace/blob/dspace-4_x/dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/IncludePageMeta.java > > > Again, I invite to you file the bug report to stimulate more independent > review in case any of my assumptions are wrong. > > > Regards, > ~~helix84 > > Compulsory reading: DSpace Mailing List Etiquette > https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette > > > ------------------------------------------------------------------------------ > Time is money. Stop wasting it! Get your web API in 5 minutes. > www.restlet.com/download > http://p.sf.net/sfu/restlet > > > > _______________________________________________ > DSpace-tech mailing list > DSpace-tech@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/dspace-tech > List Etiquette: > https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette > ------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
