•  
      request #10839 SQL injection in tracker report search when a criteria is a cross references or a permissions on artifact field
    Infos
    #10839
    Thomas Gerbet (tgerbet)
    2017-12-11 13:11
    2017-11-21 11:22
    11068
    Details
    SQL injection in tracker report search when a criteria is a cross references or a permissions on artifact field

    Tuleap does not sanitize properly user inputs when constructing SQL queries for a tracker report when a criteria is a cross reference or a permissions on artifact field.

    Impact

    An attacker with access to a tracker report with a cross references criteria could execute arbitrary SQL queries.
    CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    Put the character ' into the cross reference criteria of a tracker report, you will get a DB error caused by the resulting broken query.

    References

    CWE-89
    https://www.owasp.org/index.php/SQL_Injection

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-11-21
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-11-21 11:59
    Issue is also present with the "Permissions on artifact" field.

    • Summary
      -SQL injection in tracker report search when a criteria is a cross references field 
      +SQL injection in tracker report search when a criteria is a cross references or a permissions on artifact field 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes