[opencms-dev] Security issue
Alexandru Gyori
alexandru.gyori at hotmail.com
Mon Nov 28 21:29:47 CET 2011
Hello,
Id like to report a security vulnerability of OpenCMS.
I have downloaded the OpenCMS_8.0.3 sources; this vulnerability is present
in the current svn source files.
In org.opencms.i18n.CmsEncoder you have the method:
/**
* A simple method to avoid injection.<p>
*
* Replaces all single quotes to double single quotes in the value
parameter of the SQL statement.<p>
*
* @param source the String to escape SQL from
* @return the escaped value of the parameter source
*/
public static String escapeSql(String source) {
return source.replaceAll("'", "''");
}
This method is unsafe and vulnerable as you can find out by reading:
http://www.unixwiz.net/techtips/sql-injection.html
The before mentioned method does not properly sanitize sql.
The point of interest is:
However, this naïve approach can be beaten because most databases support
other string escape mechanisms. MySQL, for instance, also permits \' to
escape a quote, so after input of \'; DROP TABLE users; -- is "protected" by
doubling the quotes, we get:
SELECT fieldlist
FROM customers
WHERE name = '\''; DROP TABLE users; --'; -- Boom!
Hope youll fix this soon. Good luck!
Regards,
Alexandru GYORI
Junior researcher IEAT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20111128/fa22f6b0/attachment.htm>
More information about the opencms-dev
mailing list