•  
      request #11192 Filters set in tracker reports are vulnerable to SQL injections
    Infos
    #11192
    Thomas Gerbet (tgerbet)
    2018-03-05 18:11
    2018-02-26 13:52
    11467
    Details
    Filters set in tracker reports are vulnerable to SQL injections

    Tuleap does not sanitize properly user inputs when constructing SQL queries for a tracker report when a criteria is a cross reference or a permissions on artifact field.

    Impact

    An attacker with access to a tracker report could execute arbitrary SQL queries.
    CVSSv3 score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    Using a select box bound to a user group, select None and use ) as the second sent value (intercept and modify the request to do it), you will get a DB error caused by the resulting broken query and the lack of proper escaping.

    Credits

    Thank you to Cristiano Maruti (@cmaruti) for reporting and coordinate with us the disclosure of this issue.

    References

    CVE-2018-7538

    CWE-89
    https://www.owasp.org/index.php/SQL_Injection

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-02-27
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-02-28 11:00
    CVE-2018-7538 has been assigned to this vulnerability.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2018-02-28 10:58
    Add credits and disclosure date.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes