Hide Forgot
The sort_by and sort_attr parameters to any controller that uses scoped_search searching are not properly sanitized and thus can be exploited to perform sql injection. On the current release (2.4) most any api index call is vulnerable such as: /katello/api/v2/products /katello/api/v2/systems /katello/api/v2/repositories On older releases (2.3) only the errata api is affected: /katello/api/v2/errata An example showing the injection is: curl -k -u admin:changeme -X GET https://`hostname`/katello/api/v2/errata?sort_by=id\&sort_order=ASC\' {"displayMessage":"PGError: ERROR: unterminated quoted string at or near \"', I was not able to cause an update via this exploit, as it appeared that active record was handling part of the exploit (although i may have just not been talented enough). The reporter was able to retrieve additional information from the database as a result though.
Created from redmine issue http://projects.theforeman.org/issues/14381
Upstream bug assigned to jsherril@redhat.com
VERIFIED. Sat 6.2 GA 18.1 tfm-rubygem-katello-3.0.0.54-1.el7sat.noarch $ curl -k -u admin:changeme -X GET https://localhost/katello/api/v2/errata?sort_by=\'id\&sort_order=ASC\' 2>/dev/null | json_reformat { "total": 0, "subtotal": 0, "page": 1, "per_page": 20, "error": null, "search": null, "sort": { "by": "'id", "order": "ASC'" }, "results": [ ] } Apostrophes are properly escaped
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501