cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 14286] New: - SQL Injection Vulnerability in DatabaseAuthenticatorAction
Date Wed, 06 Nov 2002 03:22:44 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14286>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14286

SQL Injection Vulnerability in DatabaseAuthenticatorAction

           Summary: SQL Injection Vulnerability in
                    DatabaseAuthenticatorAction
           Product: Cocoon 2
           Version: Current CVS
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: core
        AssignedTo: cocoon-dev@xml.apache.org
        ReportedBy: javageoff@yahoo.com


The code (in head as well as 2.0.3) is dynamically building sql select 
statement, does not use PreparedStatement, and does no input validation.  The 
exploit is easily reproducible by entering a string such as 

Donald Ball'; DROP TABLE employee;

as the user name in the form at /samples/protected/login.  The vulnerability of 
course is not limited to the example, but would apply to anyone using 
DatabaseAuthenticatorAction.

SOLUTION:
Use PreparedStatement.  The code seems to be largely based on 
DatabaseSelectAction which uses PreparedStatement.  Is it a reasonable solution 
to make DatabaseAuthenticatorAction extend DatabaseSelectAction, call super.act
() and introduce only the extra functionality needed?  Unfortunately, I am 
unable to work on this at the moment.

Geoff Howard

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message