#3754 - Security Issue - SQL Injection
| Identifier | #3754 |
|---|---|
| Issue type | Major issue (breaks an entire feature) |
| Title | Security Issue - SQL Injection |
| Status | Completed |
| Handling member | Chris Graham |
| Addon | search |
| Description | SQL Injection is a critical security vulnerability which allows an attacker to extract the entire database of the site using the malicious SQL Queries. It deos not require any authentication for the user. SQL Injection is dangerous as it allows an attacker to include a shell and compromise the web server |
| Steps to reproduce | Step1: Visit the url https://compo.sr/ Step2: Go to the search field and enter any sql characters like the below url https://compo.sr/search.htm?search_tutorials_external=1&search_comcode_pages=1&days=-1&all_defaults=0&content=hello%22+OR+1%3D1-- Step3: It will trigger the SQL Error as shown |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
(Click to enlarge)
It's us not fully filtering incorrect fulltext search syntax. The error relates to the trailing '-', indicating a word exclusion which is not then actually specified.
While it is not a vulnerability, it is a bug.
On some MySQL/MariaDB versions, MySQL will not be happy when a boolean fulltext query has any of these syntax errors:
1) Trailing + or - (As there's no succeeding word to be included/disincluded)
2) Leading * (As there's no preceding word to be multiplied)
3) Double + or - or * (As operators don't count as words)
4) Various other errors with operators we strip out, as we don't want to support them
This is all within the logic of the boolean querying logic, not the SQL query as a whole - nothing is injected into the SQL parser.