Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #9502 SQL injection through widgets management
    Actions
    Infos
    #9502
    Thomas Gerbet (tgerbet)
    2016-10-17 11:35
    2016-09-16 15:01
    9770
    Details
    SQL injection through widgets management

    Tuleap does not sanitize properly user inputs when constructing SQL queries in widgets management area.

    Impact

    An authenticated attacker could execute arbitrary SQL queries.
    CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Proof of concept

    One of the possible way to demonstrate the vulnerability is to go the update layout page (My Personal Page -> Customize widgets -> Customize layout) and to intercept the update request/modify the form to set the parameter layout_id to something like 1 OR SLEEP(50) #, if the vulnerability is present the request will take a long time to be processed by the database.

    References

    https://cwe.mitre.org/data/definitions/89.html
    https://www.owasp.org/index.php/SQL_Injection

    Credit

    Thanks to Mehmet Ince from PRODAFT for having disclosed responsibly this vulnerability.

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2016-09-17
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #9341 Tuleap Releases 9.0 Delivered 2016-17-10 11:32 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #9502

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/11/6511/1' of ssh://gerrit.tuleap.net:29418/tuleap into stable 32496dd1e8
    User avatar Nicolas Terray (nterray) , 2016-09-17 08:45
    request #9502: SQL injection through widgets management 7333184217
    User avatar Thomas Gerbet (tgerbet) , 2016-09-16 16:08

    Release

    release #130
    Referenced by request #9502

    Artifact Tracker v5

    rel #9341 9.0

    Other

    gerrit #6511
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2016-09-23 16:40
    Add credit.
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Nicolas Terray (nterray)2016-09-17 08:50
    Integrated into Tuleap 8.19.99.2
    • Status changed from Under review to Closed
    • Close date set to 2016-09-17