Vulners
Lucene search
Gogs - 'label' SQL Injection
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Gogs Blind SQL Injection Vulnerability | 15 Nov 201400:00 | – | zdt |
 | CVE-2014-8681 | 21 Nov 201415:00 | – | cve |
 | CVE-2014-8681 | 21 Nov 201415:00 | – | cvelist |
 | EUVD-2021-1361 | 7 Oct 202500:30 | – | euvd |
 | Gogs - label SQL Injection | 14 Nov 201400:00 | – | exploitpack |
 | SQL Injection in gogs.io/gogs | 29 Jun 202118:32 | – | github |
 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 29 Jun 202100:00 | – | gitlab |
 | CVE-2014-8681 | 21 Nov 201415:59 | – | nvd |
 | Gogs >= 0.3.1, < 0.5.8 Multiple Vulnerabilities | 6 Feb 201500:00 | – | openvas |
 | GHSA-MR6H-CHQP-P9G2 SQL Injection in gogs.io/gogs | 29 Jun 202118:32 | – | osv |
10
Blind SQL Injection in Gogs label search
========================================
Researcher: Timo Schmid <[email protected]>
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.
Gogs provides a view to filter issues by labels. This view is accessible at
/<username>/<repository>/issues?labels=&type=&state=
The labels Parameter of this view is vulnerable to a blind SQL injection.
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
CVSS Base Score
===============
6.6 (AV:N / AC:H / Au:N / C:C / I:P / A:P)
CVE-ID
======
CVE-2014-8681
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
Status
======
Fixed by Vendor
Vulnerable Code Section
=======================
models/issue.go:
[...]
// GetIssues returns a list of issues by given conditions.
func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds,
sortType string) ([]Issue, error) {
sess := x.Limit(20, (page-1)*20)
if rid > 0 {
sess.Where("repo_id=?", rid).And("is_closed=?", isClosed)
} else {
sess.Where("is_closed=?", isClosed)
}
if uid > 0 {
sess.And("assignee_id=?", uid)
} else if pid > 0 {
sess.And("poster_id=?", pid)
}
if mid > 0 {
sess.And("milestone_id=?", mid)
}
if len(labelIds) > 0 {
for _, label := range strings.Split(labelIds, ",") {
sess.And("label_ids like '%$" + label + "|%'")
}
}
[...]
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. A attacker is restricted to not use commas in the
injection
string as the program splits input at commas.
Proof of Concept
================
Test of version string contains at least 10 characters:
http://www.example.com/user/repos/issues?label=' or
char_length(@@version) > 10
and '|%'='&type=all&state=
Returns all issues if true, non if false.
This could be used to extract data with a binary search.
Solution
========
This vulnerability could easily be fixed by using prepared statements:
sess.And("label_ids like ?", "%$" + label + "|%")
Update to Version 0.5.6.1025.
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1024-gf1d8746
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-10-25: Fixed by ensuring datatype of user input
2014-11-14: CVE-ID assigned
Credits
=======
Pascal Turbing <[email protected]>
Jiahua (Joe) Chen <[email protected]>
References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1401.txt
Advisory-ID
===========
BC-1401
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
--
Timo Schmid
ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
================== TROOPERS15 ==================
* International IT Security Conference & Workshops
* 16th - 20st March 2015 / Heidelberg, Germany
* www.troopers.de
====================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Nov 2014 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 27.5
EPSS0.05208