[#7064] - SQL replacePrefix lexer vulnerability
- Closed
- 30 May 2015
- Medium
- Build: master
- # 7064
I was working on porting a security mechanism to Joomla, and figured out that
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/database/driver.php#L1590
has a terrible vulnerability.
Joomla allows the developer to use #__ in the sql query as a placeholder for table prefix, and later tries to replace this with the actual prefix (before submitting the query to db).
Now, since #__ might appear in the rest of the query, specially inside strings, the replacePrefix function tries to quickly lex the query, and ignore #__ if it appears inside a string.
The issue is that lexing a SQL query is not that simple and straightforward, and one can easily use this to leak table prefix and break scope in the queries.
For example, the following query will become:
SELECT * FROM #__content WHERE 1>'#__abc'
SELECT * FROM ykl0e_content WHERE 1>'#__abc'
But this query will break the lexer easily:
SELECT * FROM #__content WHERE 1>/* ' */ '#__abc'
SELECT * FROM ykl0e_content WHERE 1>/* ' */ 'ykl0e_abc'
It's not about developers using it, its about attackers using it in their payload!
If developers are not using it, its all the more reason to cut it out of the code.
This feature is used multiple times in the core code.
Fair enough :) Our security email is security@joomla.org .
Please do contact us there when you have finished your research - thankyou!
zero-24
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-05-30 16:59:42 |
| Closed_By | ⇒ | zero-24 | |
| Build | master | ⇒ | staging |
| Labels |
Added:
?
|
||
| Labels |
Added:
?
|
||
You are linking to a 6 year old commit!?
My bad. Made a mistake.
Hi,
I don't think this is a vulnerability. It might be a bug - but I don't think it's insecure in anyway. To be honest I think that this is something that we probably won't even fix - this code hasn't changed since Joomla 1.5 - and we've never had this reported before so I suspect the number of users using
#__as a column name is very low (if any are).I will consult with some people around the project before closing this as a "won't fix" though. Thanks for reporting this anyhow!