Issues » SQL Injection from Workflow Screen II

Issue: SI-30
Date: Nov 30, 2015, 10:00:00 AM
Severity: Critical
Requires Admin Access: No
Fix Version: 3.3
Credit: Customer Security Scan
Description:

SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept, and can be exploited in any application parameter that influences a database query. Examples include parameters within the url itself, post data, or cookie values. If successful, SQL Injection can give an attacker access to backend database contents, the ability to remotely execute system commands, or in some circumstances the means to take control of the server hosting the database. Recommendations include employing a layered approach to security that includes utilizing parameterized queries when accepting user input, ensuring that only expected data is accepted by an application, and hardening the database server to prevent data from being accessed inappropriately.

It is possible to call an administrative jsp/portlet page and pass in escaped and or malicious SQL code which dotCMS will execute.

Mitigation:

Restrict the URL pattern /html/portlet to your administrator's IP range.

References

https://github.com/dotCMS/core/commit/aca9c2461bb3d3694a074158fcccd6f12f2791d6