Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #7887 Blind SQL injection in cross reference
    Actions
    Infos
    #7887
    Thomas Gerbet (tgerbet)
    2015-03-04 16:22
    2015-02-25 15:47
    7893
    Details
    Blind SQL injection in cross reference

    Tuleap does not sanitize properly user inputs when constructing a SQL query for removing a cross reference.

    Impact

    An attacker could execute arbitrary SQL queries.
    CVSSv2 score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

    Exploitation

    The page <tuleap_url>/reference/rmreference.php is exploitable via the parameter target_type, the attacker must be a project administrator for at least one project.

    The vulnerability can be demonstrated using this query:
    <tuleap_url>/reference/rmreference.php?target_gid=<project_id>&source_gid=<project_id>&target_type=' and 1=(select benchmark(5000000,md5('a'))) or '
    When the vulnerability is present, the query will take a large amount of time to be executed by the DBMS.

    References

    https://cwe.mitre.org/data/definitions/89.html
    https://www.owasp.org/index.php/SQL_Injection

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2015-03-02
    Attachments
    Artifact links
    Empty
    Empty
    References
    Referencing request #7887

    Artifact Tracker v5

    rel #7843 7.11

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/70/3670/1' of ssh://gerrit.tuleap.net:29418/tuleap into tuleap-stable-master 503effb769
    User avatar Manuel Vacelet (vaceletm) , 2015-03-02 13:41
    request #7887: Properly escape SQL queries in cross reference fd172489f6
    User avatar Thomas Gerbet (tgerbet) , 2015-02-25 16:14

    Release

    release #102
    Referenced by request #7887

    Other

    gerrit #7887
    Display settings

    Follow-ups

    User avatar
    Manuel Vacelet (vaceletm)2015-03-02 13:47
    Merged in 7.10.99.59
    • Status changed from Under review to Closed
    • Close date set to 2015-03-02
    User avatar
    Thomas Gerbet (tgerbet)2015-02-25 16:28
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes