Bug #13470

Clipboard toggle endpoint is vulnerable to SQL injection

Added by José Raddaoui Marín over 1 year ago. Updated about 1 year ago.

Status:VerifiedStart date:01/27/2021
Priority:MediumDue date:
Assignee:-% Done:

0%

Category:Security
Target version:Release 2.6.2
Google Code Legacy ID: Tested version:2.4, 2.5, 2.6
Sponsored:No Requires documentation:

Description

This has been confirmed against https://demo.accesstomemory.org with slightly different exploits:

Parameter: slug (GET)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: slug=test";SELECT SLEEP(5)#

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: slug=test" AND (SELECT 9304 FROM (SELECT(SLEEP(5)))wnhK)-- VMrE

Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: slug=test" UNION ALL SELECT CONCAT(0x7171786a71,0x716e61414a64516177526e667368574d4f584a42614e4276726166534z765949454c50514b666a61,0x7178626b71)-- -

This is a blind SQL injection caused by a non parameterized query.

25x_issue_13470.patch Magnifier (3.82 KB) José Raddaoui Marín, 02/03/2021 06:59 PM

24x_issue_13470.patch Magnifier (2.67 KB) José Raddaoui Marín, 02/03/2021 06:59 PM

26x_issue_13470.patch Magnifier (3.82 KB) José Raddaoui Marín, 02/03/2021 07:00 PM

History

#3 Updated by Dan Gillean over 1 year ago

  • Private changed from Yes to No

#4 Updated by Dan Gillean over 1 year ago

Attached are patches for the affected AtoM versions. To apply the patch over a running AtoM instance, move to the AtoM folder, check the patch will work over the existing source code and apply it:

Using Git:

cd /path/to/atom
git apply --check /path/to/26x-13470.patch
git apply --stat /path/to/26x-13470.patch
git apply /path/to/26x-13470.patch

Using Patch:

cd /path/to/atom
patch -p1 --dry-run < /path/to/26x-13470.patch
patch -p1 --dry-run --verbose < /path/to/26x-13470.patch
patch -p1 < /path/to/26x-13470.patch

Then clear the Symfony cache and restart PHP-FPM:

php symfony cc
sudo systemctl restart php7.2-fpm

Note that Artefactual has also made a 2.6.2 release available that includes this patch, if you would prefer to upgrade to the latest stable version. For more information, see:

#5 Updated by Dan Gillean about 1 year ago

  • Status changed from New to Verified

Also available in: Atom PDF