Bug #13470: Clipboard toggle endpoint is vulnerable to SQL injection - Access to Memory (AtoM) - Artefactual Projects

Bug #13470

Clipboard toggle endpoint is vulnerable to SQL injection

Added by José Raddaoui Marín over 1 year ago. Updated about 1 year ago.

Status:

Verified

Start date:

01/27/2021

Priority:

Medium

Due date:

Assignee:

% Done:

Category:

Security

Target version:

Release 2.6.2

Google Code Legacy ID:

Tested version:

2.4, 2.5, 2.6

Sponsored:

Requires documentation:

Description

This has been confirmed against https://demo.accesstomemory.org with slightly different exploits:

Parameter: slug (GET)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: slug=test";SELECT SLEEP(5)#

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: slug=test" AND (SELECT 9304 FROM (SELECT(SLEEP(5)))wnhK)-- VMrE

Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: slug=test" UNION ALL SELECT CONCAT(0x7171786a71,0x716e61414a64516177526e667368574d4f584a42614e4276726166534z765949454c50514b666a61,0x7178626b71)-- -

This is a blind SQL injection caused by a non parameterized query.

25x_issue_13470.patch (3.82 KB) José Raddaoui Marín, 02/03/2021 06:59 PM

24x_issue_13470.patch (2.67 KB) José Raddaoui Marín, 02/03/2021 06:59 PM

26x_issue_13470.patch (3.82 KB) José Raddaoui Marín, 02/03/2021 07:00 PM

History

#1 Updated by José Raddaoui Marín over 1 year ago

File 24x_issue_13470.patch added
File 25x_issue_13470.patch added
File 26x_issue_13470.patch added

#3 Updated by Dan Gillean over 1 year ago

Private changed from Yes to No

#4 Updated by Dan Gillean over 1 year ago

Attached are patches for the affected AtoM versions. To apply the patch over a running AtoM instance, move to the AtoM folder, check the patch will work over the existing source code and apply it:

Using Git:

cd /path/to/atom
git apply --check /path/to/26x-13470.patch
git apply --stat /path/to/26x-13470.patch
git apply /path/to/26x-13470.patch

Using Patch:

cd /path/to/atom
patch -p1 --dry-run < /path/to/26x-13470.patch
patch -p1 --dry-run --verbose < /path/to/26x-13470.patch
patch -p1 < /path/to/26x-13470.patch

Then clear the Symfony cache and restart PHP-FPM:

php symfony cc
sudo systemctl restart php7.2-fpm

Note that Artefactual has also made a 2.6.2 release available that includes this patch, if you would prefer to upgrade to the latest stable version. For more information, see:

https://wiki.accesstomemory.org/Releases/Release_announcements/Release_2.6.2

#5 Updated by Dan Gillean about 1 year ago

Status changed from New to Verified

Also available in: Atom PDF

Access to Memory (AtoM)

Issues

Custom queries