Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Bricolage: devel

SQL Injection Vulnerability?

 

 

Bricolage devel RSS feed   Index | Next | Previous | View Threaded


david at justatheory

Jun 20, 2012, 8:40 AM

Post #1 of 6 (2240 views)
Permalink
SQL Injection Vulnerability?

Fellow Bricoleurs,

Google Alerts notified me of this page yesterday:

http://packetstormsecurity.org/files/113840/bricolagecms-sqlxss.txt

We should not have any SQL injection vulnerabilities, because all of our code *should* be using placeholders. Can anyone confirm? (I'm not equipped to load it up and test right now.)

Thanks,

David


alex at gt

Jun 20, 2012, 9:56 AM

Post #2 of 6 (2133 views)
Permalink
Re: SQL Injection Vulnerability? [In reply to]

Hi David,

Hmm, the demo:

> DEMO:
> A)Persistent XSS
> 1. http://localhost/admin/profile/output_channel/
> DEMO: http://demo.bricolagecms.org/admin/profile/output_channel/
> In 'Name' and 'Description' field,
> POST DATA= "'-->><script>alert(0)</script>
>
> 2. http://localhost/admin/profile/source/
> DEMO: http://demo.bricolagecms.org/admin/profile/source/
> In 'Source Name' and 'description' field,
> POST DATA= "'-->><script>alert(0)</script>
>
> B)SQL error pages on reflected XSS/malicious char(Info Disclosure)
> 1. http://localhost/admin/profile/element_type/
> Demo: http://demo.bricolagecms.org/admin/profile/element_type/
> In 'Source Name' and 'description' field,
> POST DATA= "'-->><script>alert(0)</script>


looks like cross site scripting (i.e. entering html into fields, output
is not escaped when displayed).

No info that I can see on actual sql injection.

Cheers,

Alex


david at justatheory

Jun 20, 2012, 2:24 PM

Post #3 of 6 (2130 views)
Permalink
Re: SQL Injection Vulnerability? [In reply to]

On Jun 20, 2012, at 6:56 PM, Alex Krohn wrote:

>> B)SQL error pages on reflected XSS/malicious char(Info Disclosure)
>> 1. http://localhost/admin/profile/element_type/
>> Demo: http://demo.bricolagecms.org/admin/profile/element_type/
>> In 'Source Name' and 'description' field,
>> POST DATA= "'-->><script>alert(0)</script>
>
>
> looks like cross site scripting (i.e. entering html into fields, output
> is not escaped when displayed).
>
> No info that I can see on actual sql injection.

Well that's confusing. Do we have an XSS vulnerability? And if we do, does it really matter?

David


alex at gt

Jun 20, 2012, 2:40 PM

Post #4 of 6 (2124 views)
Permalink
Re: SQL Injection Vulnerability? [In reply to]

> >> B)SQL error pages on reflected XSS/malicious char(Info Disclosure)
> >> 1. http://localhost/admin/profile/element_type/
> >> Demo: http://demo.bricolagecms.org/admin/profile/element_type/
> >> In 'Source Name' and 'description' field,
> >> POST DATA= "'-->><script>alert(0)</script>
> >
> >
> > looks like cross site scripting (i.e. entering html into fields, output
> > is not escaped when displayed).
> >
> > No info that I can see on actual sql injection.
>
> Well that's confusing. Do we have an XSS vulnerability? And if we do, does it really matter?

I tested it out on demo.bricolagecms.org and put script tags in and
everywhere I could see it was escaped. Quite possible someplaces it
might not be though.

Cheers,

Alex


adrian at gt

Jun 20, 2012, 2:50 PM

Post #5 of 6 (2130 views)
Permalink
Re: SQL Injection Vulnerability? [In reply to]

On 06/20/12 14:40, Alex Krohn wrote:
>>>> B)SQL error pages on reflected XSS/malicious char(Info Disclosure)
>>>> 1. http://localhost/admin/profile/element_type/
>>>> Demo: http://demo.bricolagecms.org/admin/profile/element_type/
>>>> In 'Source Name' and 'description' field,
>>>> POST DATA= "'-->><script>alert(0)</script>
>>>
>>>
>>> looks like cross site scripting (i.e. entering html into fields, output
>>> is not escaped when displayed).
>>>
>>> No info that I can see on actual sql injection.
>>
>> Well that's confusing. Do we have an XSS vulnerability? And if we do, does it really matter?
>
> I tested it out on demo.bricolagecms.org and put script tags in and
> everywhere I could see it was escaped. Quite possible someplaces it
> might not be though.

I think the issue is when you then search for that element type. The
element name isn't html escaped in the search results.

Adrian


david at justatheory

Jun 21, 2012, 8:04 AM

Post #6 of 6 (2141 views)
Permalink
Re: SQL Injection Vulnerability? [In reply to]

On Jun 20, 2012, at 11:50 PM, Adrian Yee wrote:

> I think the issue is when you then search for that element type. The element name isn't html escaped in the search results.

Ah. Would you mind filing a bug report about that, Adrian?

Thanks,

David

Bricolage devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.