Bug 1350803 - CVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters
Summary: CVE-2016-3072 Authenticated sql injection via sort_by and sort_attr parameters
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Security
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
medium vote
Target Milestone: Unspecified
Assignee: Justin Sherrill
QA Contact: Adam Ruzicka
URL: http://projects.theforeman.org/issues...
Depends On:
Blocks: CVE-2016-3072
TreeView+ depends on / blocked
Reported: 2016-06-28 12:28 UTC by Zach Huntington-Meath
Modified: 2019-09-25 20:34 UTC (History)
3 users (show)

Fixed In Version: rubygem-katello-
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-07-27 11:17:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 14381 0 None None None 2016-06-28 13:05:23 UTC

Description Zach Huntington-Meath 2016-06-28 12:28:12 UTC
The sort_by and sort_attr parameters to any controller that uses scoped_search searching are not properly sanitized and thus can be exploited to perform sql injection.

On the current release (2.4) most any api index call is vulnerable such as:


On older releases (2.3) only the errata api is affected:


An example showing the injection is:

 curl -k -u admin:changeme -X GET https://`hostname`/katello/api/v2/errata?sort_by=id\&sort_order=ASC\'

{"displayMessage":"PGError: ERROR:  unterminated quoted string at or near \"', 

I was not able to cause an update via this exploit, as it appeared that active record was handling part of the exploit (although i may have just not been talented enough).  The reporter was able to retrieve additional information from the database as a result though.

Comment 1 Zach Huntington-Meath 2016-06-28 12:28:13 UTC
Created from redmine issue http://projects.theforeman.org/issues/14381

Comment 2 Zach Huntington-Meath 2016-06-28 12:28:16 UTC
Upstream bug assigned to jsherril@redhat.com

Comment 4 Adam Ruzicka 2016-06-30 10:28:09 UTC
Sat 6.2 GA 18.1

$ curl -k -u admin:changeme -X GET https://localhost/katello/api/v2/errata?sort_by=\'id\&sort_order=ASC\' 2>/dev/null | json_reformat
    "total": 0,
    "subtotal": 0,
    "page": 1,
    "per_page": 20,
    "error": null,
    "search": null,
    "sort": {
        "by": "'id",
        "order": "ASC'"
    "results": [


Apostrophes are properly escaped

Comment 5 Bryan Kearney 2016-07-27 11:17:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.