Uploaded image for project: 'aaa'
  1. aaa
  2. AAA-241

SQL injection in the aaa-idm-store-h2 (deleteUser function)

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Low
    • Resolution: Done
    • 0.15.0, 0.16.0, 0.15.6, 0.16.4
    • 0.17.0, 0.16.5, 0.15.8
    • None
    • ubuntu20.04, aaa version 0.17.0

    Description

      Hello,

      I am writing to report a vulnerability in one of the components of Opendaylight, aaa.

      With this bug, attackers can SQL inject the component's database(SQLite).

      The bug is in /aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/UserStore.java (deleteUser function).

      As we can see, the aaa concats userid information to build a delete SQL query, and it executes the query in SQLite.

      However, in line 235, the userid(escaped) is a string. If the user calls the api interface /auth/v1/users/ to add a malicious user, and then calls the deleteUser function to delete the user, it will cause SQL injection.

      For example, he can call the api interface /auth/v1/users/ with POST method, it will call the createUser function to add a user. If the user name is:

      ' or 1=1--+

      Then call the api interface /auth/v1/users/' or 1=1--+@DOMAIN_ID with DELETE method, it will call the deleteUser function to delete the user. And the SQL query is:

      DELETE FROM AAA_USERS WHERE userid = ‘’ or 1=1—+’@DOMAIN_ID

      And all the elements in the AAA_USERS table are removed due to this malicious query.

      Please consider fixing this security vulnerability as soon as possible.

       

      Best wishes,

      Chunyang Han

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            rovarga Robert Varga
            anemone Han Chunyang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 2 weeks
                2w
                Remaining:
                Remaining Estimate - 4 days
                4d
                Logged:
                Time Spent - Not Specified Time Not Required
                Not Specified