| Issue Number | 4106 |
|---|---|
| Summary | SQL Injection vulnerability in GPMailer scripts |
| Created | 2016-05-20 17:52:34 |
| Issue Type | Bug |
| Submitted By | Learn, Blair (NIH/NCI) [C] |
| Assigned To | Learn, Blair (NIH/NCI) [C] |
| Status | Closed |
| Resolved | 2016-05-23 17:50:54 |
| Resolution | Won't Fix |
| Path | /home/bkline/backups/jira/ocecdr/issue.184582 |
The pages under https://gpmailers.cancer.gov/cgi-bin/ are, I believe, world-accessible. Three of these scripts have SQL injection vulnerabilities:
ListGPEmailers - the bounce parameter is passed to SQL without sanitation.
ShowGPChanges.py - the id parameter is passed to SQL without sanitation.
recorded-gp.py - the mailerId and recorded parameters are passed to SQL without sanitation.
There's a new branch for this work:
Thanks! That saves me a step. :-)
Test for ShowGPChanges.py:
https://gpmailers-dev.cancer.gov/cgi-bin/ShowGPChanges.py?id=668310%3Bselect%20*%20from%20gp_emailer;
Expect HTTP 400 status.
Test for ListGPEmailers:
https://gpmailers-dev.cancer.gov/cgi-bin/ListGPEmailers?bounce=747688%3Bselect%20*%20from%20gp_emailer;
Expect HTTP 400 status.
This is not an issue.
During testing, I realized that I had mistaken a function call for string building. Instead of injecting unsanitized values into a string, all of the values were being passed to a library method which correctly sanitizes the values before putting the query together.
Elapsed: 0:00:00.001523