Mailing List Archive: SQL Injection Vulnerability?

SQL Injection Vulnerability?

david at justatheory

Jun 20, 2012, 8:40 AM

Post #1 of 6 (7999 views)

Fellow Bricoleurs,

Google Alerts notified me of this page yesterday:

http://packetstormsecurity.org/files/113840/bricolagecms-sqlxss.txt

We should not have any SQL injection vulnerabilities, because all of our code *should* be using placeholders. Can anyone confirm? (I'm not equipped to load it up and test right now.)

Thanks,

David

Re: SQL Injection Vulnerability? [ In reply to ]

Jun 20, 2012, 9:56 AM

Post #2 of 6 (7757 views)

Hi David,

Hmm, the demo:

> DEMO:
> A)Persistent XSS
> 1. http://localhost/admin/profile/output_channel/
> DEMO: http://demo.bricolagecms.org/admin/profile/output_channel/
> In 'Name' and 'Description' field,
> POST DATA= "'-->><script>alert(0)</script>
>
> 2. http://localhost/admin/profile/source/
> DEMO: http://demo.bricolagecms.org/admin/profile/source/
> In 'Source Name' and 'description' field,
> POST DATA= "'-->><script>alert(0)</script>
>
> B)SQL error pages on reflected XSS/malicious char(Info Disclosure)
> 1. http://localhost/admin/profile/element_type/
> Demo: http://demo.bricolagecms.org/admin/profile/element_type/
> In 'Source Name' and 'description' field,
> POST DATA= "'-->><script>alert(0)</script>

looks like cross site scripting (i.e. entering html into fields, output
is not escaped when displayed).

No info that I can see on actual sql injection.

Cheers,

Alex

Re: SQL Injection Vulnerability? [ In reply to ]

david at justatheory

Jun 20, 2012, 2:24 PM

Post #3 of 6 (7763 views)

On Jun 20, 2012, at 6:56 PM, Alex Krohn wrote:

>> B)SQL error pages on reflected XSS/malicious char(Info Disclosure)
>> 1. http://localhost/admin/profile/element_type/
>> Demo: http://demo.bricolagecms.org/admin/profile/element_type/
>> In 'Source Name' and 'description' field,
>> POST DATA= "'-->><script>alert(0)</script>
>
>
> looks like cross site scripting (i.e. entering html into fields, output
> is not escaped when displayed).
>
> No info that I can see on actual sql injection.

Well that's confusing. Do we have an XSS vulnerability? And if we do, does it really matter?

David

Re: SQL Injection Vulnerability? [ In reply to ]

Jun 20, 2012, 2:40 PM

Post #4 of 6 (7751 views)

> >> B)SQL error pages on reflected XSS/malicious char(Info Disclosure)
> >> 1. http://localhost/admin/profile/element_type/
> >> Demo: http://demo.bricolagecms.org/admin/profile/element_type/
> >> In 'Source Name' and 'description' field,
> >> POST DATA= "'-->><script>alert(0)</script>
> >
> >
> > looks like cross site scripting (i.e. entering html into fields, output
> > is not escaped when displayed).
> >
> > No info that I can see on actual sql injection.
>
> Well that's confusing. Do we have an XSS vulnerability? And if we do, does it really matter?

I tested it out on demo.bricolagecms.org and put script tags in and
everywhere I could see it was escaped. Quite possible someplaces it
might not be though.

Cheers,

Alex

Re: SQL Injection Vulnerability? [ In reply to ]

Jun 20, 2012, 2:50 PM

Post #5 of 6 (7756 views)

On 06/20/12 14:40, Alex Krohn wrote:
>>>> B)SQL error pages on reflected XSS/malicious char(Info Disclosure)
>>>> 1. http://localhost/admin/profile/element_type/
>>>> Demo: http://demo.bricolagecms.org/admin/profile/element_type/
>>>> In 'Source Name' and 'description' field,
>>>> POST DATA= "'-->><script>alert(0)</script>
>>>
>>>
>>> looks like cross site scripting (i.e. entering html into fields, output
>>> is not escaped when displayed).
>>>
>>> No info that I can see on actual sql injection.
>>
>> Well that's confusing. Do we have an XSS vulnerability? And if we do, does it really matter?
>
> I tested it out on demo.bricolagecms.org and put script tags in and
> everywhere I could see it was escaped. Quite possible someplaces it
> might not be though.

I think the issue is when you then search for that element type. The
element name isn't html escaped in the search results.

Adrian

Re: SQL Injection Vulnerability? [ In reply to ]

david at justatheory

Jun 21, 2012, 8:04 AM

Post #6 of 6 (7769 views)

On Jun 20, 2012, at 11:50 PM, Adrian Yee wrote:

> I think the issue is when you then search for that element type. The element name isn't html escaped in the search results.

Ah. Would you mind filing a bug report about that, Adrian?

Thanks,

David