[phpMyAdmin Developers] Question regarding fix of CVE 2020-26935 - SQL Injection via SearchController

Sat Dec 26 23:07:07 CET 2020

Hi,

Thank you for the quick answer. There is only one thing which confuses us, as how the vulnerability marked with CVE 2020-26935 has any danger to the system? All "dangerous" characters used for SQL injections get escaped. It is possible to send a union or a sleep command in the query but the union command is limited by the user privileges and sleep only makes everything on the attackers side slower. You can also try to send a second sql command in the where_clause but through dbi it only takes the first sql command and ignores the rest. So far as we see it, there isn't a realistic danger to the system. So why excatly did you create a cve for that, which has a relatively high score?

Regards
MKrebs & JHiller
Students @ HAW Hof

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Am Freitag, 18. Dezember 2020 00:01 schrieb Isaac Bennetch <bennetch at gmail.com>:

> Hi,
>
> The attack vector is someone intercepting the search parameter and injecting some arbitrary SQL command there. If I recall correctly, the where_clause is not presented in the graphical interface at all and is simply present in the POST variables. It's used to build the query, but isn't going to be modified by the user, and prior to the fix we were just recalling the statement from the POST data without confirming that the user had not modified it. The fix verifies the signature of the returned portion of the query to make sure the user (or some attacker) has not injected their own statement in to the where_clause.
>
> If you believe the code is still vulnerable, you're welcome to write back here or send an email to security at phpmyadmin.net. Of course, if I have left off some detail, I'm happy to answer further questions as well as I can.
>
> Cheers,
> Isaac from the phpMyAdmin project
>
> On Thu, Dec 17, 2020 at 8:45 AM studentProject via Developers <developers at phpmyadmin.net> wrote:
>
>> Hello,
>>
>> we are two students from the university of applied sciences Hof in Germany and for a module about IT-security we are researching the vulnerability marked with CVE 2020-26935, which describes a possible SQLi attack via SearchController.
>>
>> The issue has already been documented by phpmyadmin:
>> https://www.phpmyadmin.net/security/PMASA-2020-6/
>>
>> And the responsible fix has also been linked as a git commit in the link above:
>> https://github.com/phpmyadmin/phpmyadmin/commit/d09ab9bc9d634ad08b866d42bb8c4109869d38d2
>>
>> We are writing because we do not fully understand in which way the commit in question fixes any possible SQLi attacks mentioned in the CVE. As far as our research goes, we have figured out that the where_clause gets signed with an HMAC signature, which doesn't necessarily provide security against said attacks.
>>
>> Would you mind elaborating how the commit mentioned in the issue linked above fixes the CVE (2020-26935) in question? We are clueless considering the given commit doesn't seem to clear up the question for us. Is the commit linked in the PMASA-2020-6 note perhaps wrong? Does the fix lie in another method/class or even in the frontend instead?
>>
>> Regards
>> MKrebs & JHiller
>> Students @ HAW Hof
>> _______________________________________________
>> Developers mailing list
>> Developers at phpmyadmin.net
>> https://lists.phpmyadmin.net/mailman/listinfo/developers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.phpmyadmin.net/pipermail/developers/attachments/20201226/ee9bf1d4/attachment.html>