掲示板
Found a blind SQL injection, how to repaire it
9年前 に sean wang によって更新されました。
Found a blind SQL injection, how to repaire it
New Member 投稿: 11 参加年月日: 14/08/21 最新の投稿
Hi friends,
I use the webInspect to scan my website and found a blind Sql injetion issue, the report as bellow . someone can tell me how to repaire this issue.
I use the webInspect to scan my website and found a blind Sql injetion issue, the report as bellow . someone can tell me how to repaire this issue.
Attack Request: GET /ThemeFLT-theme/js/main.js?browserId= firefox9%27%09or%09(1%09%3c%09(select%09case%09when%091%3d1%09then%09(select%09CHECKSUM_AGG (c1.id)%09from%09syscolumns%09c1%2c%09syscolumns%09c2%2c%09syscolumns%09c3%2c%09syscolumns%09c4% 2c%09syscolumns%09c5%09where%09c1.id%3dc2.id%09and%09c2.id%3dc3.id%09and%09c4.id%3dc3.id%09and% 09c5.id%3dc4.id)%09else%090%09end))%09and%09%271%27%3d%271 &minifierType=js&languageId=en_US&b=6201&t=1411986...TRUNCATED... Attack Response: HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Date: Tue, 30 Sep 2014 09:01:51 GMT Connection: close Content-Length: 11443 <title>Apache Tomcat/7.0.42 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sansserif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;backgroundcolor:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;fontsize:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans -serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;fontsize:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> <h1>HTTP Status 500 - /opt/liferay-portal-6.2-ce-ga2/tomcat-7.0.42/work/Catalina/localhost/ThemeFLT-theme/aggregate/http_/ThemeFLTtheme/js/main.jsbrowserId=firefox9%27%09or%09(1%09%3c%09(select%09case%09when%091%3d1%09then%09 (select%09CHECKSUM_AGG(c1.id)%09from%09syscolumns%09c1%2c%09syscolumns%09c2%2c%09syscolumns%09c3% 2c%09syscolumns%09c4%2c%09syscolumns%09c5%09where%09c1.id%3dc2.id%09and%09c2.id%3dc3.id%09and% 09c4.id%3dc3.id%09and%09c5.id%3dc4.id)%09else%090%09end))%09and%09%271%27%3d% 271&minifierType=js&languageId=en_US&b=6201&t=1411986772000_E_CONTENT_TYPE (File name too long)</h1><hr size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>/opt/liferay-portal-6.2-ce-ga2/tomcat-7.0.42/work/Catalina/localhost/ThemeFLT-theme/aggregate/http_/ThemeFLTtheme/js/main.jsbrowserId=firefox9%27%09or%09(1%09%3c%09(select%09case%09when%091%3d1%09then%09 (select%09CHECKSUM_AGG(c1.id)%09from%09syscolumns%09c1%2c%09syscolumns%09c2%2c%09syscolumns%09c3% 2c%09syscolumns%09c4%2c%09syscolumns%09c5%09where%09c1.id%3dc2.id%09and%09c2.id%3dc3.id%09and% 09c4.id%3dc3.id%09and%09c5.id%3dc4.id)%09else%090%09end))%09and%09%271%27%3d% 271&minifierType=js&languageId=en_US&b=6201&t=1411986772000_E_CONTENT_TYPE (File name too long)</u></p><p><b>description</b> <u>The server encountered an internal error that preve nted it from fulfilling this request.</u></p><p><b>exception</b> </p></hr size="1" noshade="noshade">java.io.FileNotFoundException: /opt/liferay-portal- 6.2-ce-ga2/tomcat-7.0.42/work/Catalina/localhost/ThemeFLT-theme/aggregate/http_/ThemeFLTtheme/js/main.jsbrowserId=firefox9%27%09or%09(1%09%3c%09(select%09case%09when%091%3d1%09then%09 (select%09CHECKSUM_AGG(c1.id)%09from%09syscolumns%09c1%2c%09syscolumns%09c2%2c%09syscolumns%09c3% 2c%09syscolumns%09c4%2c%09syscolumns%09c5%09where%09c1.id%3dc2.id%09and%09c2.id%3dc3.id%09and% 09c4.id%3dc3.id%09and%09c5.id%3dc4.id)%09else%090%09end))%09and%09%271%27%3d% 271&minifierType=js&languageId=en_US&b=6201&t=1411986772000_E_CONTENT_TYPE (File name too long) java.io.FileOutputStream.open(Native Method) java.io.FileOutputStream.<init>(FileOutputStream.java:221) com.liferay.portal.util.FileImpl.write(FileImpl.java:949) com.liferay.portal.util.FileImpl.write(FileImpl.java:927) com.liferay.portal.util.FileImpl.write(FileImpl.java:922) com.liferay.portal.kernel.util.FileUtil.write(FileUtil.java:425) com.liferay.portal.servlet.filters.aggregate.AggregateFilter.getContent(AggregateFilter.java:408) com.liferay.portal.servlet.filters.aggregate.AggregateFilter.processFilter(AggregateFilter.java:508) com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) com.liferay.portal.kernel.servlet.PortalClassLoaderFilter.doFilter(PortalClassLoaderFilter.java:74) com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) su ...TRUNCATED...
9年前 に Tomas Polesovsky によって更新されました。
RE: Found a blind SQL injection, how to repaire it
Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿
Hi Sean,
thank you for sharing.
Related to SQLi - it's false positive, this means there is no SQL Injection.
The only SQL operation behind these parameters is to get the correct theme:
-> it's related to parameter themeId
-> this SQL operation is safe
This is a common issue with automated tools that reports lots of false positives because they don't know how the portal works.
Anyhow, there is a small vulnerability in this code that's called path disclosure, with this I can see the portal is deployed in /opt/liferay-portal-6.2-ce-ga2/tomcat-7.0.42/ folder. I create a JIRA ticket and make a note you found it. Once we fix it you'll find it on Known Vulnerabilities page
For the next time, I'd like to ask you to use our responsible disclosure program, please see https://www.liferay.com/security page.
Thank you.
thank you for sharing.
Related to SQLi - it's false positive, this means there is no SQL Injection.
The only SQL operation behind these parameters is to get the correct theme:
-> it's related to parameter themeId
-> this SQL operation is safe
This is a common issue with automated tools that reports lots of false positives because they don't know how the portal works.
Anyhow, there is a small vulnerability in this code that's called path disclosure, with this I can see the portal is deployed in /opt/liferay-portal-6.2-ce-ga2/tomcat-7.0.42/ folder. I create a JIRA ticket and make a note you found it. Once we fix it you'll find it on Known Vulnerabilities page
For the next time, I'd like to ask you to use our responsible disclosure program, please see https://www.liferay.com/security page.
Thank you.
9年前 に Tomas Polesovsky によって更新されました。
RE: Found a blind SQL injection, how to repaire it
Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿
I tried to reproduce it and it seems it's been already fixed with 6.2 release, by a different bug fix.
To fix the path disclosure please copy the highlighted lines into your portal web.xml file: https://github.com/liferay/liferay-portal/blob/6.2.0-ga1/portal-web/docroot/WEB-INF/web.xml#L832-835
Thanks.
To fix the path disclosure please copy the highlighted lines into your portal web.xml file: https://github.com/liferay/liferay-portal/blob/6.2.0-ga1/portal-web/docroot/WEB-INF/web.xml#L832-835
Thanks.
9年前 に sean wang によって更新されました。
RE: Found a blind SQL injection, how to repaire it
New Member 投稿: 11 参加年月日: 14/08/21 最新の投稿
Hi Tomas,
Thanks for your reply,
As you say, the bug has been already fixed with 6.2 release, but the version what I am using is 6.2. Why this issue still exsiting.
Thanks for your reply,
As you say, the bug has been already fixed with 6.2 release, but the version what I am using is 6.2. Why this issue still exsiting.