Posts by Tom Donlon

1) Message boards : Questions and problems : Potential SQL Injection Vulnerability in Default BOINC Website (Message 110994)
Posted 2 Feb 2023 by Tom Donlon
Post:
Thanks for the suggestion, I'll make an issue on github.
2) Message boards : Questions and problems : Potential SQL Injection Vulnerability in Default BOINC Website (Message 110987)
Posted 1 Feb 2023 by Tom Donlon
Post:
Hello Everyone,

I'm a developer for MilkyWay@home, and our project recently failed a routine vulnerability scan from our host institution. The potential vulnerability comes from the "next_url" parameter in the BOINC website file "create_account_form.php" (link to the relevant code on github here https://github.com/BOINC/boinc/blob/master/html/user/create_account_form.php).

From what I understand, the vulnerability is this: if you put something in the website url after "create_account_form.php", like "create_account_form.php?next_url=1", then the page reloads but everything after the ? persists in the url. I'm told that this is difficult but not impossible to utilize for a SQL injection attack. Here's the full report that we got from our routine vulnerability scan:

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'next_url' parameter of the /milkyway/create_account_form.php CGI :

/milkyway/create_account_form.php?next_url='+and+'b'>'a

-------- output --------
<p class="lead">If you already have an account and want to run Mil [...]
    <div class="container">
        <form class="form-horizontal" method="post" action="create_accou
nt_action.php"><input type="hidden" name="next_url" value="">
    
        <div class="form-group">
-------- vs --------
<p class="lead">If you already have an account and want to run Mil [...]
    <div class="container">
        <form class="form-horizontal" method="post" action="create_accou
nt_action.php"><input type="hidden" name="next_url" value="' and 'b'>'a"
>
    
        <div class="form-group">
------------------------


This looks like the scan was able to access unintended php source code for this webpage via the command line.

We would like to fix this issue so that it isn't a problem in the future. However, I don't have any experience with this sort of thing, and I was wondering if any of you who knew more could help us out. Additionally, we wanted to bring it to your attention so that the BOINC website code could get fixed, so that other people don't experience any issues from this in the future.

It looks like the BOINC code tries to sanitize the "next_url" parameter with the function "sanitize_local_url" in https://github.com/BOINC/boinc/blob/master/html/inc/util.inc. Maybe this sanitize function can be changed in some way to prevent this problem? Or maybe there's a better fix.

Best,
Tom Donlon
3) Message boards : Questions and problems : Error compiling new search start binary (Message 107548)
Posted 22 Mar 2022 by Tom Donlon
Post:
Hello,

I am a developer for MilkyWay@home, and we are working on updating our project to Ubuntu 20.04.4 LTS, as well as the newest version of BOINC. Our test server is running BOINC 1.2.1 and Ubuntu 20.04.4. When we try to run our search start binary that was compiled for the previous build of the server (Ubuntu 18 and BOINC 1.0.4), it seg faults. When we try to rebuild the binary, we get the following errors: 

/usr/include/mysql/mysql.h:477:6: error: use of enum ‘net_async_status’ without previous declaration
  477 | enum net_async_status STDCALL mysql_real_connect_nonblocking(
      |      ^~~~~~~~~~~~~~~~
/usr/include/mysql/mysql.h:481:6: error: use of enum ‘net_async_status’ without previous declaration
  481 | enum net_async_status STDCALL mysql_send_query_nonblocking(
      |      ^~~~~~~~~~~~~~~~
/usr/include/mysql/mysql.h:483:6: error: use of enum ‘net_async_status’ without previous declaration
  483 | enum net_async_status STDCALL mysql_real_query_nonblocking(
      |      ^~~~~~~~~~~~~~~~
/usr/include/mysql/mysql.h:485:6: error: use of enum ‘net_async_status’ without previous declaration
  485 | enum net_async_status STDCALL
      |      ^~~~~~~~~~~~~~~~
/usr/include/mysql/mysql.h:487:6: error: use of enum ‘net_async_status’ without previous declaration
  487 | enum net_async_status STDCALL mysql_next_result_nonblocking(MYSQL *mysql);
      |      ^~~~~~~~~~~~~~~~
/usr/include/mysql/mysql.h:488:6: error: use of enum ‘net_async_status’ without previous declaration
  488 | enum net_async_status STDCALL mysql_select_db_nonblocking(MYSQL *mysql,
      |      ^~~~~~~~~~~~~~~~
/usr/include/mysql/mysql.h:536:6: error: use of enum ‘net_async_status’ without previous declaration
  536 | enum net_async_status STDCALL mysql_free_result_nonblocking(MYSQL_RES *result);
      |      ^~~~~~~~~~~~~~~~
/usr/include/mysql/mysql.h:543:6: error: use of enum ‘net_async_status’ without previous declaration
  543 | enum net_async_status STDCALL mysql_fetch_row_nonblocking(MYSQL_RES *res,
      |      ^~~~~~~~~~~~~~~~


These appear to have to do with mysql, and it appears that someone else has had a similar problem with mysql and Ubuntu 20 (https://github.com/vincefn/objcryst/issues/48). Does anyone have any ideas how to work around this? Thanks for the help.

Best,
Tom



Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.