Hello Everyone,

I'm a developer for MilkyWay@home, and our project recently failed a routine vulnerability scan from our host institution. The potential vulnerability comes from the "next_url" parameter in the BOINC website file "create_account_form.php" (link to the relevant code on github here https://github.com/BOINC/boinc/blob/master/html/user/create_account_form.php).

From what I understand, the vulnerability is this: if you put something in the website url after "create_account_form.php", like "create_account_form.php?next_url=1", then the page reloads but everything after the ? persists in the url. I'm told that this is difficult but not impossible to utilize for a SQL injection attack. Here's the full report that we got from our routine vulnerability scan:

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'next_url' parameter of the /milkyway/create_account_form.php CGI :

/milkyway/create_account_form.php?next_url='+and+'b'>'a

-------- output --------
<p class="lead">If you already have an account and want to run Mil [...]
    <div class="container">
        <form class="form-horizontal" method="post" action="create_accou
nt_action.php"><input type="hidden" name="next_url" value="">
    
        <div class="form-group">
-------- vs --------
<p class="lead">If you already have an account and want to run Mil [...]
    <div class="container">
        <form class="form-horizontal" method="post" action="create_accou
nt_action.php"><input type="hidden" name="next_url" value="' and 'b'>'a"
>
    
        <div class="form-group">
------------------------

This looks like the scan was able to access unintended php source code for this webpage via the command line.

We would like to fix this issue so that it isn't a problem in the future. However, I don't have any experience with this sort of thing, and I was wondering if any of you who knew more could help us out. Additionally, we wanted to bring it to your attention so that the BOINC website code could get fixed, so that other people don't experience any issues from this in the future.

It looks like the BOINC code tries to sanitize the "next_url" parameter with the function "sanitize_local_url" in https://github.com/BOINC/boinc/blob/master/html/inc/util.inc. Maybe this sanitize function can be changed in some way to prevent this problem? Or maybe there's a better fix.

Best,
Tom Donlon

Hi Tom.

I don't understand enough to judge the risks involved from this but the dev's mostly don't frequent these forums much. If you want to, you can create and account at git-hub and lodge it as an issue.

I agree with Dave, you best put this up for the developers to see at https://github.com/BOINC/boinc/issues
If you want me to, I can add it as an issue, but any further explanation I cannot give as I am not the original author.

Thanks for the suggestion, I'll make an issue on github.