Bug 1350803 - CVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters
Summary: CVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Security
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Justin Sherrill
QA Contact: Adam Ruzicka
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: CVE-2016-3072
TreeView+ depends on / blocked
 
Reported: 2016-06-28 12:28 UTC by Zach Huntington-Meath
Modified: 2019-09-25 20:34 UTC (History)
3 users (show)

Fixed In Version: rubygem-katello-3.0.0.53-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 11:17:08 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 14381 0 None None None 2016-06-28 13:05:23 UTC

Description Zach Huntington-Meath 2016-06-28 12:28:12 UTC
The sort_by and sort_attr parameters to any controller that uses scoped_search searching are not properly sanitized and thus can be exploited to perform sql injection.

On the current release (2.4) most any api index call is vulnerable such as:

/katello/api/v2/products
/katello/api/v2/systems
/katello/api/v2/repositories

On older releases (2.3) only the errata api is affected:

/katello/api/v2/errata

An example showing the injection is:

 curl -k -u admin:changeme -X GET https://`hostname`/katello/api/v2/errata?sort_by=id\&sort_order=ASC\'

{"displayMessage":"PGError: ERROR:  unterminated quoted string at or near \"', 

I was not able to cause an update via this exploit, as it appeared that active record was handling part of the exploit (although i may have just not been talented enough).  The reporter was able to retrieve additional information from the database as a result though.

Comment 1 Zach Huntington-Meath 2016-06-28 12:28:13 UTC
Created from redmine issue http://projects.theforeman.org/issues/14381

Comment 2 Zach Huntington-Meath 2016-06-28 12:28:16 UTC
Upstream bug assigned to jsherril@redhat.com

Comment 4 Adam Ruzicka 2016-06-30 10:28:09 UTC
VERIFIED.
Sat 6.2 GA 18.1
tfm-rubygem-katello-3.0.0.54-1.el7sat.noarch

$ curl -k -u admin:changeme -X GET https://localhost/katello/api/v2/errata?sort_by=\'id\&sort_order=ASC\' 2>/dev/null | json_reformat
{
    "total": 0,
    "subtotal": 0,
    "page": 1,
    "per_page": 20,
    "error": null,
    "search": null,
    "sort": {
        "by": "'id",
        "order": "ASC'"
    },
    "results": [

    ]
}

Apostrophes are properly escaped

Comment 5 Bryan Kearney 2016-07-27 11:17:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501


Note You need to log in before you can comment on or make changes to this bug.