View Issue Details

IDProjectCategoryView StatusLast Update
0000211Bacula-Websecurity-issuepublic2018-03-03 21:21
ReportergsorondoAssigned Todavide 
PriorityimmediateSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformLinuxOSUbuntuOS Version16.04.1
Product Version7.4.0 
Target Version8.0.0-rc2Fixed in Version8.0.0-rc2 
Summary0000211: SQL Injection in jobs.php
DescriptionThe "jobs.php" script is vulnerable to SQL injection because it fails to sanitize the contents of the "pool_id" parameter.
This allows an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Steps To ReproduceThe following GET request can be used to extract the result of "select @@version" query.

Request:
GET /jobs.php?status=0&level_id=&client_id=0&start_time=&end_time=&orderby=jobid&jobs_per_page=25&pool_id=11%27%20UNION%20ALL%20SELECT%20@@version%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23 HTTP/1.1

Response:
HTTP/1.1 200 OK
[...]
            <td>5.7.19-0ubuntu0.16.04.1</td>
            <td class="text-left">
             backupjob-report.php?backupjob_name=
[...]
Additional InformationMy name is Gustavo Sorondo and i'm the CTO of "Cinta Infinita Information Security" (http://cintainfinita.com).
This vulnerability was identified during an internal penetration test on one of our clients.

We believe on responsible disclosure, so the vulnerability details or existance will not be made public until there is a fix for it.

Feel free to contact me for more details.
TagsNo tags attached.

Activities

gsorondo

2017-08-09 03:00

reporter  

davide

2017-08-09 08:58

manager   ~0000617

I confirm the security issue

CHttpRequest::getSafeValue() use strip_tags PHP function to "sanitize" $_GET and $_POST user input.
This is obviously not enough

I'll fix the code and provide a fix asap.

Thanks for rising this security issue

davide

2017-08-13 10:43

manager   ~0000623

To be honest, using PDO bind_params or bind_value was something I'd like to use but I didn't know it will prevent SQL injection.
This is something I'll implement but not in next version, as it involve too much change in the code.
I'll rather use html_entitites and filter_var first then switch to paramettrized queries in a second time.
Thanks for the tip

davide

2017-08-17 13:35

manager   ~0000625

Yes please, I'll send you the pre-release source code so you can check if I've done things in the right way.

Thanks for your help

davide

2017-09-07 08:24

manager   ~0000637

Hi,

I'v made some tests with Arachni and found out that there's other PHP scripts which doesn't protect against SQL injection.

I'm working on a fix and want to make sure it fix the SQL injection problem
Do you mind telling me which tool you're using ? Is it a opensource/free tool ?

Thanks for your feedback

davide

2017-09-11 07:29

manager   ~0000639

Any feedback ?

davide

2017-09-12 09:00

manager   ~0000641

Thank you for your feedback

I'll let you know when I'm ready with a potentially "fixed" version of Bacula-Web

davide

2017-09-18 11:20

manager   ~0000663

I've found a way to implement PDO_Statment::bindParam() faster and simplier than expected.
A "fixed" version of Bacula-Web will be available soon :)

davide

2017-09-30 09:11

manager   ~0000683

Hi,
I'm done with a fixed code.
How do you want to test it ?

davide

2017-10-01 10:40

manager   ~0000685

Hi,
The code is available here -> https://github.com/bacula-web/bacula-web/tree/develop
I'll let you know when a publicly available instance of Bacula-Web is available.

davide

2017-10-05 10:35

manager   ~0000686

Hi,
a test version of Bacula-Web is available now (details below)

url: http://demo.bacula-web.org
user: admin
pass: sqljam

Please be "gentle" with your sqlmap queries, this is an openshift instance ;)

Thanks for your feedback and help

davide

2017-10-07 07:49

manager   ~0000688

Hi,

Did you had time to test it ?
Best regards

Davide

gsorondo

2017-10-07 08:17

reporter   ~0000689

Sorry Davide

Busy week. Will have an update in a few days.

Thanks

davide

2017-10-07 09:01

manager   ~0000690

No problem

I'll wait on your feedback before releasing next version

Thanks for your help

davide

2017-10-09 09:33

manager   ~0000695

I've decided to disclose this security issue in 8.0.0 release notes.

P.S: I hope you will be able to test this week

gsorondo

2017-10-12 22:47

reporter   ~0000696

Hey Davide.
I am not able to access http://demo.bacula-web.org.
Looks like there some PHP issues.
Please fix this so i can test it.
It's OK to disclose the security issue in the release notes. We will wait for the new version to go live, and make our own disclosure for discovering the vuln and request a CVEID, following our responsible disclosure policy (http://cintainfinita.com/disclosure.html).
Thanks!

davide

2017-10-13 08:32

manager   ~0000697

Hi,
The demo is now fixed, you can test it.

Regarding security issue disclosure.

Just to clarify my plans.

Within the next few days, I'll release version 8.0.0-RC1, which is not a stable version.
This security issue will not be part of the release notes of this version, but only of the next stable major version (8.0.0).
A version 8.0.0-RC2 is already plan and it might be a 8.0.0-RC3.

I expect to release 8.0.0 within few weeks, unless I did any serious mistake in the code ;)

The idea is simply not to enforce Bacula-Web users to upgrade to a "potentially" unstable version to avoid SQL injection.

Does it sounds good to you ?

Thanks for your help and your valuable feedback

gsorondo

2017-10-16 04:18

reporter   ~0000698

Hey Davide.

I have verified that the injection on client-report.php and backupjob-report.php has been fixed by checking that the parameter is in an expected values array.

The code for jobs.php is the one that seems to have changed the most.

I'm seeing some PHP errors in the demo site. Pool filter doesn't seem to be working on jobs.php.
I think it would be faster if you add me to Hangouts (gs@cintainfinita.com.ar) and we can have a more dynamic communication channel.

I will be out of office till tuesday. We could have a talk then and check if the vuln has been fixed on jobs.php.

By the way, CVE-2017-15367 has already been assigned to this vulnerabilities and is pending public disclosure until you release the fixed version.

Thanks.

davide

2017-10-16 12:01

manager   ~0000699

Hi,

The issue with jobs.php with pool filter is fixed in up-stream source code.
I will update the demo website

Good idea, let's talk on Hangout. It will faster and more productive.

Thanks for create the CVE, I'll mention it in 8.0.0 release notes.

Regards

davide

2018-02-28 17:11

manager   ~0000730

demo is up to date with latest fixes.

i'll release new release candidate version this evening

gsorondo

2018-02-28 23:17

reporter   ~0000732

I can no longer get DB information by exploiting SQL Injection in the "job_type_filter" parameter.

However i can still generate a SQL error by inserting a single quote within the "job_orderby" parameter. I haven't been able to exploit this one, but it might be exploitable. Same fix should be applied to this parameter.

davide

2018-03-02 09:17

manager   ~0000733

I have fixed the SQL error while inserting a single quote with the job_orderby parameter.

Demo website use latest source code, please confirm

Thank you

gsorondo

2018-03-02 21:58

reporter   ~0000734

Issue has been fixed. I have no knowledge of exploitable SQL injection issues as of now.

davide

2018-03-03 21:21

manager   ~0000735

All SQL injection bugs are fixed now.
Closing this bug report

Thanks again Gustavo.

Issue History

Date Modified Username Field Change
2017-08-09 03:00 gsorondo New Issue
2017-08-09 03:00 gsorondo File Added: Screenshot from 2017-08-08 21:53:13.png
2017-08-09 08:56 davide Assigned To => davide
2017-08-09 08:56 davide Status new => assigned
2017-08-09 08:58 davide Status assigned => confirmed
2017-08-09 08:58 davide Note Added: 0000617
2017-08-09 17:08 davide Note View State: 0000617: private
2017-08-11 16:21 davide Note View State: 0000617: public
2017-08-13 10:43 davide Note Added: 0000623
2017-08-17 13:35 davide Note Added: 0000625
2017-08-20 07:52 davide Target Version => 8.0.0-rc1
2017-09-07 08:24 davide Status confirmed => feedback
2017-09-07 08:24 davide Note Added: 0000637
2017-09-11 07:29 davide Note Added: 0000639
2017-09-12 03:30 gsorondo Status feedback => assigned
2017-09-12 09:00 davide Note Added: 0000641
2017-09-18 11:20 davide Note Added: 0000663
2017-09-30 09:11 davide Status assigned => feedback
2017-09-30 09:11 davide Note Added: 0000683
2017-09-30 23:51 gsorondo Status feedback => assigned
2017-10-01 10:40 davide Note Added: 0000685
2017-10-05 10:35 davide Status assigned => feedback
2017-10-05 10:35 davide Note Added: 0000686
2017-10-07 07:49 davide Note Added: 0000688
2017-10-07 08:17 gsorondo Note Added: 0000689
2017-10-07 08:17 gsorondo Status feedback => assigned
2017-10-07 09:01 davide Note Added: 0000690
2017-10-09 09:33 davide Target Version 8.0.0-rc1 => 8.0.0
2017-10-09 09:33 davide Note Added: 0000695
2017-10-12 22:47 gsorondo Note Added: 0000696
2017-10-13 08:32 davide Status assigned => feedback
2017-10-13 08:32 davide Note Added: 0000697
2017-10-16 04:18 gsorondo Note Added: 0000698
2017-10-16 04:18 gsorondo Status feedback => assigned
2017-10-16 12:01 davide Note Added: 0000699
2017-12-10 12:18 davide Target Version 8.0.0 => 8.0.0-rc2
2018-02-28 17:11 davide Note Added: 0000730
2018-02-28 23:17 gsorondo Note Added: 0000732
2018-03-02 09:17 davide Status assigned => feedback
2018-03-02 09:17 davide Note Added: 0000733
2018-03-02 21:58 gsorondo Note Added: 0000734
2018-03-02 21:58 gsorondo Status feedback => assigned
2018-03-03 21:20 davide View Status private => public
2018-03-03 21:21 davide Status assigned => resolved
2018-03-03 21:21 davide Resolution open => fixed
2018-03-03 21:21 davide Note Added: 0000735
2018-03-03 21:21 davide Fixed in Version => 8.0.0-rc2