[opencms-dev] Security issue

Alexandru Gyori alexandru.gyori at hotmail.com
Mon Nov 28 21:29:47 CET 2011


Hello,

 

I’d like to report a security vulnerability of OpenCMS.

I have downloaded the OpenCMS_8.0.3 sources; this vulnerability is present
in the current svn source files.

In org.opencms.i18n.CmsEncoder you have the method:

    

/**

     * A simple method to avoid injection.<p>

     * 

     * Replaces all single quotes to double single quotes in the value
parameter of the SQL statement.<p> 

     * 

     * @param source the String to escape SQL from

     * @return the escaped value of the parameter source

     */

    public static String escapeSql(String source) {

 

        return source.replaceAll("'", "''");

    }

 

This method is unsafe and vulnerable as you can find out by reading:
http://www.unixwiz.net/techtips/sql-injection.html

The before mentioned method does not properly sanitize sql.

The point of interest is:

“

However, this naïve approach can be beaten because most databases support
other string escape mechanisms. MySQL, for instance, also permits \' to
escape a quote, so after input of \'; DROP TABLE users; -- is "protected" by
doubling the quotes, we get: 

SELECT fieldlist

  FROM customers

WHERE name = '\''; DROP TABLE users; --';  -- Boom!

        “

 

Hope you’ll fix this soon. Good luck!

 

Regards,

Alexandru GYORI

Junior researcher IEAT

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20111128/fa22f6b0/attachment.htm>


More information about the opencms-dev mailing list