Summary
SQL statements throughout the application use Python-native format strings rather than sqlite3 formatting strings. Note how parameters on the documents page make use of ? within SQL queries rather than formatted strings: https://docs.python.org/3/library/sqlite3.html
Details
Unsafe example from createPost.py:
cursor.execute(
f"""
insert into posts(title,tags,content,author,views,date,time,lastEditDate,lastEditTime)
values("{postTitle}","{postTags}","{postContent}",
"{session["userName"]}",0,
"{currentDate()}",
"{currentTime()}",
"{currentDate()}",
"{currentTime()}")
"""
)Remediated example:
cursor.execute(
"insert into posts(title,tags,content,author,views,date,time,lastEditDate,lastEditTime) \
values(?, ?, ?, ?, ?, ?, ?, ?, ?)",
(postTitle, postTags, postContent,
session["userName"], 0,
currentDate(),
currentTime(),
currentDate(),
currentTime()))PoC
For the post creation example above, create a post containing the content " + (SELECT( 1 || 2 || 3 || 4 || 5)) + ", as shown below.
When the post is created, notice how 1 || 2 || 3 || 4 || 5 has been concatenated to 12345.
Impact
A low privilege user can execute commands as the underlying sqlite3 server.
adindrabkin Reporter
Summary
SQL statements throughout the application use Python-native format strings rather than sqlite3 formatting strings. Note how parameters on the documents page make use of
?within SQL queries rather than formatted strings: https://docs.python.org/3/library/sqlite3.htmlDetails
Unsafe example from
createPost.py:Remediated example:
PoC
For the post creation example above, create a post containing the content
" + (SELECT( 1 || 2 || 3 || 4 || 5)) + ", as shown below.When the post is created, notice how
1 || 2 || 3 || 4 || 5has been concatenated to 12345.Impact
A low privilege user can execute commands as the underlying sqlite3 server.