sql injection vulnerability in /zendesk/api/users #179
Comments
manueldimmler
added a commit
to manueldimmler/zendesk_magento_extension
that referenced
this issue
Apr 4, 2022
|
Thanks for calling this out @manueldimmler - are you able to submit a PR for it by chance? |
|
cc: @rsbowers |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is an sql injection vulnerability in /zendesk/api/users with low impact because it's behind the authentication.
People knowing the API token are able to query any information they want from the database using the 'sort' parameter. Because it's not possible to use UNION after ORDER BY, you have to guess one character after another using CASE WHEN.
Example guessing the first character of the password hash from user with id 1:
GET zendesk/api/users?sort=(CASE WHEN (SELECT SUBSTRING(password, 1, 1) FROM admin_user WHERE user_id = 1) = 'a' THEN firstname ELSE lastname END)This could be fixed adding a default fallback to the switch statement to prevent inserting custom sql commands in https://github.com/agnostack/magento_extension/blob/develop/src/app/code/community/Zendesk/Zendesk/controllers/ApiController.php#L246
The text was updated successfully, but these errors were encountered: