Bug 1350803

Summary: CVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters
Product: Red Hat Satellite Reporter: Zach Huntington-Meath <zhunting>
Component: SecurityAssignee: Justin Sherrill <jsherril>
Status: CLOSED ERRATA QA Contact: Adam Ruzicka <aruzicka>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: aruzicka, cwelton, ehelms
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/14381
Whiteboard:
Fixed In Version: rubygem-katello-3.0.0.53-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 11:17:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1322050    

Description Zach Huntington-Meath 2016-06-28 12:28:12 UTC 
The sort_by and sort_attr parameters to any controller that uses scoped_search searching are not properly sanitized and thus can be exploited to perform sql injection.

On the current release (2.4) most any api index call is vulnerable such as:

/katello/api/v2/products
/katello/api/v2/systems
/katello/api/v2/repositories

On older releases (2.3) only the errata api is affected:

/katello/api/v2/errata

An example showing the injection is:

 curl -k -u admin:changeme -X GET https://`hostname`/katello/api/v2/errata?sort_by=id\&sort_order=ASC\'

{"displayMessage":"PGError: ERROR:  unterminated quoted string at or near \"', 

I was not able to cause an update via this exploit, as it appeared that active record was handling part of the exploit (although i may have just not been talented enough).  The reporter was able to retrieve additional information from the database as a result though.
Comment 1 Zach Huntington-Meath 2016-06-28 12:28:13 UTC 
Created from redmine issue http://projects.theforeman.org/issues/14381
Comment 2 Zach Huntington-Meath 2016-06-28 12:28:16 UTC 
Upstream bug assigned to jsherril
Comment 4 Adam Ruzicka 2016-06-30 10:28:09 UTC 
VERIFIED.
Sat 6.2 GA 18.1
tfm-rubygem-katello-3.0.0.54-1.el7sat.noarch

$ curl -k -u admin:changeme -X GET https://localhost/katello/api/v2/errata?sort_by=\'id\&sort_order=ASC\' 2>/dev/null | json_reformat
{
    "total": 0,
    "subtotal": 0,
    "page": 1,
    "per_page": 20,
    "error": null,
    "search": null,
    "sort": {
        "by": "'id",
        "order": "ASC'"
    },
    "results": [

    ]
}

Apostrophes are properly escaped
Comment 5 Bryan Kearney 2016-07-27 11:17:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501