Potential SQL Injection Vulnerability in Default BOINC Website

Message boards : Questions and problems : Potential SQL Injection Vulnerability in Default BOINC Website
Message board moderation

To post messages, you must log in.

AuthorMessage
Tom Donlon

Send message
Joined: 22 Mar 22
Posts: 3
Message 110987 - Posted: 1 Feb 2023, 20:21:18 UTC
Last modified: 1 Feb 2023, 20:22:07 UTC

Hello Everyone,

I'm a developer for MilkyWay@home, and our project recently failed a routine vulnerability scan from our host institution. The potential vulnerability comes from the "next_url" parameter in the BOINC website file "create_account_form.php" (link to the relevant code on github here https://github.com/BOINC/boinc/blob/master/html/user/create_account_form.php).

From what I understand, the vulnerability is this: if you put something in the website url after "create_account_form.php", like "create_account_form.php?next_url=1", then the page reloads but everything after the ? persists in the url. I'm told that this is difficult but not impossible to utilize for a SQL injection attack. Here's the full report that we got from our routine vulnerability scan:

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'next_url' parameter of the /milkyway/create_account_form.php CGI :

/milkyway/create_account_form.php?next_url='+and+'b'>'a

-------- output --------
<p class="lead">If you already have an account and want to run Mil [...]
    <div class="container">
        <form class="form-horizontal" method="post" action="create_accou
nt_action.php"><input type="hidden" name="next_url" value="">
    
        <div class="form-group">
-------- vs --------
<p class="lead">If you already have an account and want to run Mil [...]
    <div class="container">
        <form class="form-horizontal" method="post" action="create_accou
nt_action.php"><input type="hidden" name="next_url" value="' and 'b'>'a"
>
    
        <div class="form-group">
------------------------


This looks like the scan was able to access unintended php source code for this webpage via the command line.

We would like to fix this issue so that it isn't a problem in the future. However, I don't have any experience with this sort of thing, and I was wondering if any of you who knew more could help us out. Additionally, we wanted to bring it to your attention so that the BOINC website code could get fixed, so that other people don't experience any issues from this in the future.

It looks like the BOINC code tries to sanitize the "next_url" parameter with the function "sanitize_local_url" in https://github.com/BOINC/boinc/blob/master/html/inc/util.inc. Maybe this sanitize function can be changed in some way to prevent this problem? Or maybe there's a better fix.

Best,
Tom Donlon
ID: 110987 · Report as offensive
Profile Dave
Help desk expert

Send message
Joined: 28 Jun 10
Posts: 2492
United Kingdom
Message 110988 - Posted: 1 Feb 2023, 20:38:58 UTC - in response to Message 110987.  

Hi Tom.

I don't understand enough to judge the risks involved from this but the dev's mostly don't frequent these forums much. If you want to, you can create and account at git-hub and lodge it as an issue.
ID: 110988 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15460
Netherlands
Message 110989 - Posted: 1 Feb 2023, 23:14:29 UTC - in response to Message 110987.  

I agree with Dave, you best put this up for the developers to see at https://github.com/BOINC/boinc/issues
If you want me to, I can add it as an issue, but any further explanation I cannot give as I am not the original author.
ID: 110989 · Report as offensive
Tom Donlon

Send message
Joined: 22 Mar 22
Posts: 3
Message 110994 - Posted: 2 Feb 2023, 14:52:32 UTC

Thanks for the suggestion, I'll make an issue on github.
ID: 110994 · Report as offensive

Message boards : Questions and problems : Potential SQL Injection Vulnerability in Default BOINC Website

Copyright © 2024 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.