Possible security bug

Gary Sun, 27 Feb 2000 14:54:14 -0800
I'm not sure of whether this bug is specific to Jyve in general, or just 
the current implementation of it on locus.apache.org, however, it appears 
that Jyve is not escaping single quotes in SQL queries. When doing a query 
at http://locus.apache.org/jyve-faq/Turbine/screen/SearchGlobal that 
contains a quotation-mark ('), the server replies:

-----------------------------------------
There has been an error! Please review the exception below for more 
information.
Get/Post Data:
screen  = SearchResults
search  = this isn't happening

The exception is:
java.sql.SQLException: Error during query: Unexpected Exception: 
java.sql.SQLException message given: Syntax error or access violation: You 
have an error in your SQL syntax near 't happening%'  OR  t.topic_value 
LIKE '%this isn't happening%'  OR  f.faq_value ' at line 1
        at org.gjt.mm.mysql.Connection.execSQL(Connection.java:807)
        at org.gjt.mm.mysql.Connection.execSQL(Connection.java:740)
        at org.gjt.mm.mysql.Statement.executeQuery(Statement.java:159)
        at com.workingdogs.village.QueryDataSet.(QueryDataSet.java:112)
        at org.apache.jyve.screens.SearchResults.build(SearchResults.java:160)
        at org.apache.turbine.modules.ScreenLoader.eval(ScreenLoader.java:122)
        at org.apache.jyve.layouts.DefaultLayout.build(DefaultLayout.java:92)
        at org.apache.turbine.modules.LayoutLoader.exec(LayoutLoader.java:115)
        at org.apache.turbine.modules.pages.DefaultPage.build(DefaultPage.java:96)
        at org.apache.turbine.modules.PageLoader.exec(PageLoader.java:115)
        at Turbine.doGet(Turbine.java:284)
        at Turbine.doPost(Turbine.java:371)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:521)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:588)
        at org.apache.jserv.JServConnection.processRequest(JServConnection.java:314)
        at org.apache.jserv.JServConnection.run(JServConnection.java:188)
        at java.lang.Thread.run(Thread.java)

java.sql.SQLException: Error during query: Unexpected Exception: 
java.sql.SQLException message given: Syntax error or access violation: You 
have an error in your SQL syntax near 't happening%'  OR  t.topic_value 
LIKE '%this isn't happening%'  OR  f.faq_value ' at line 1
---------------------------------------

This can probably be abused to get unauthorized access to the MySQL database.

Regards,

-Gary Gurevich


--
--------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Archives and Other:  <http://java.apache.org/main/mail.html>
Problems?:           [EMAIL PROTECTED]
Possible security bug

Reply via email to
