[#8129] - Database error message exposes database prefix
- Closed
- 23 Oct 2015
- Medium
- Build: master
- # 8129
With reference to - https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access - it seems necessary to know the database prefix in order to execute this exploit successfully.
Given that the prefix is shown in a database error message, it is trivial to discover the prefix; one merely needs to execute an SQL injection attempt and receive the error message to recover the prefix.
Granted, although one could argue that preventing SQL Injection in the first place makes masking the prefix redundant, the exploit above would not have been possible (or at the very least made more difficult) if it was not possible to easily retrieve or guess the database prefix.
Furthermore, the point of creating a random prefix string in the Joomla setup process, presumably as an added level of security, is itself redundant if it can be retrieved easily.
I propose that the prefix is removed from the error message, eg:
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/database/driver/mysqli.php#L585
$this->errorMsg = (string) mysqli_error($this->connection) . ' SQL=' . str_replace($this->tablePrefix, '#__', $query);Of course this would need to be done in all the other drivers too.
| Labels |
Added:
?
|
||
Perhaps make it conditional on debug mode?
Yes. I will leave the details up to those more familiar with the database architecture.
Affected lines are:
MySQLi Driver
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/database/driver/mysqli.php#L585
MySQL Driver
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/database/driver/mysql.php#L313
PDO Driver
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/database/driver/pdo.php#L438-L479
PostgresSQL Driver
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/database/driver/postgresql.php#L699-L738
MS SQL Driver
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/database/driver/sqlsrv.php#L633-L675
Even with this change, we can get the database prefix when we manage to have a syntax error.
For example, I get here after patching:
500 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'uc.name AS editor FROM `jos_ucm_history` AS h LEFT JOIN jos_users AS uc ON uc.id' at line 1 SQL=SELECT (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM ,uc.name AS editor FROM `#__ucm_history` AS h LEFT JOIN #__users AS uc ON uc.id = h.editor_user_id WHERE `h`.`ucm_item_id` = 75 AND `h`.`ucm_type_id` = 1 ORDER BY `h`.`save_date`
@Devportobello yes but this is just the first part we need also the seccond part of the message ;) We are working on it currecntly 
PR is: #8130 Thanks @ryandemmer
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-10-23 10:23:05 |
| Closed_By | ⇒ | zero-24 |
SQL Error with prefix removed: