•  
      request #11192 Filters set in tracker reports are vulnerable to SQL injections
    Infos
    #11192
    Thomas Gerbet (tgerbet)
    2018-03-05 18:11
    2018-02-26 13:52
    10786
    Details
    Filters set in tracker reports are vulnerable to SQL injections

    Tuleap does not sanitize properly user inputs when constructing SQL queries for a tracker report when a criteria is a cross reference or a permissions on artifact field.

    Impact

    An attacker with access to a tracker report could execute arbitrary SQL queries.
    CVSSv3 score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    Using a select box bound to a user group, select None and use ) as the second sent value (intercept and modify the request to do it), you will get a DB error caused by the resulting broken query and the lack of proper escaping.

    Credits

    Thank you to Cristiano Maruti (@cmaruti) for reporting and coordinate with us the disclosure of this issue.

    References

    CVE-2018-7538

    CWE-89
    https://www.owasp.org/index.php/SQL_Injection

    Empty
    Trackers
    All
    Empty
    Empty
    Stage
    Empty
    Closed
    2018-02-27
    Attachments
    Empty
    References

    Follow-ups

    • User avatar
      Public disclosure.
    • User avatar
      CVE-2018-7538 has been assigned to this vulnerability.

      • Original Submission
    • User avatar
      Add credits and disclosure date.

      • Original Submission
    • User avatar
      gerrit #10682 integrated into Tuleap 9.17.99.215

      • Status changed from Under review to Closed
      • Connected artifacts
      • Close date set to 2018-02-27
    • User avatar
      A patch is under review: gerrit #10682.

      • Status changed from Under implementation to Under review