Uploaded image for project: 'aaa'
  1. aaa
  2. AAA-240

SQL injection in the aaa-idm-store-h2 (deleteDomain function)

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Low
    • Resolution: Done
    • 0.15.0, 0.16.0, 0.15.6, 0.16.4
    • 0.17.0, 0.16.5, 0.15.8
    • None
    • ubuntu20.04, aaa version 0.17.0

    Description

      Hello,

      I am writing to report a vulnerability in one of the components of Opendaylight, aaa.

      With this bug, attackers can SQL inject the component's database(SQLite).

      The bug is in /aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/DomainStore.java (deleteDomain function).

      As we can see, the aaa concats domainid information to build a delete SQL query, and it executes the query in SQLite.

      However, in line 197, the domainid(escaped) is a string. If the user calls the api interface /auth/v1/domains/ to add a malicious domain, and then calls the deleteDomain function to delete the domain, it will cause SQL injection.

      For example, he can call the api interface /auth/v1/domains/ with POST method, it will call the createDomain function to add a domain. If the domain name is:

      ' or 1=1--+

      Then call the api interface /auth/v1/domains/' or 1=1--+ with DELETE method, it will call the deleteDomain function to delete the domain. And the SQL query is:

      DELETE FROM AAA_DOMAINS WHERE domainid = ‘’ or 1=1—+’

      And all the elements in the AAA_DOMAINS table are removed due to this malicious query.

      Please consider fixing this security vulnerability as soon as possible.

       

      Best wishes,

      Chunyang Han

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            rovarga Robert Varga
            anemone Han Chunyang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 2 weeks
                2w
                Remaining:
                Remaining Estimate - 4 days
                4d
                Logged:
                Time Spent - Not Specified Time Not Required
                Not Specified