Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
SQL injection attempts killls Etherpad lite
See original GitHub issueHi,
On our server we were getting some Etherpad outage. We relied it to a nasty query:
https://pad.bling.org/javascripts/lib/ep_etherpad-lite/static/js/pad.js?callback=require.define&vLtF%3D6904%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23
A “minimal” query example:
https://pad.bling.org/javascripts/lib/ep_etherpad-lite/static/js/pad.js?callback=require.define&vLtF%3D6904%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E%27
This provoke an immediate crash:
oct. 23 18:17:19 pad.bling.org run.sh[8976]: [2018-10-23 18:17:19.994] [ERROR] console - Error: ENAMETOOLONG: name too long, open '/var/www/etherpad-lite/var/minified_L2phdmFzY3JpcHRzL2xpYi9lcF9ldGhlcn
oct. 23 18:17:19 pad.bling.org run.sh[8976]: at Error (native)
oct. 23 18:17:19 pad.bling.org run.sh[8976]: [2018-10-23 18:17:19.995] [INFO] console - graceful shutdown...
oct. 23 18:17:20 pad.bling.org run.sh[8976]: [2018-10-23 18:17:20.091] [INFO] console - db sucessfully closed.
We are running the 1.7.0 flavor on Debian Stretch with node v6.14.4 and no specific customization. We reproduced the behavior on two independents Etherpad installation.
Issue Analytics
- State:
- Created 5 years ago
- Comments:13 (10 by maintainers)
Top Results From Across the Web
SQL injection attacks - LWN.net
This technique allows an attacker to gain access to the database that underlies many web sites and read and potentially modify data that...
Read more >CVE - Search Results - MITRE
Successful attacks of this vulnerability can result in unauthorized ability to cause ... CVE-2022-30927, A SQL injection vulnerability exists in Simple Task ...
Read more >Vulnerability Summary for the Week of February 5, 2018 | CISA
Primary Vendor ‑‑ Product Published CVSS Score
abrt ‑‑ abrt 2018‑02‑09 not yet calculated
adobe ‑‑ flash_player 2018‑02‑06 not yet calculated
adobe ‑‑ flash_player 2018‑02‑06 not...
Read more >Security Bulletin 4 Aug 2021
CVE Number Base Score Reference
CVE‑2021‑3344 8.8 https://nvd.nist.gov/vuln/detail/CVE‑2021‑3344
CVE‑2021‑32633 8.8 https://nvd.nist.gov/vuln/detail/CVE‑2021‑32633
CVE‑2021‑3570 8.8 https://nvd.nist.gov/vuln/detail/CVE‑2021‑3570
Read more >Cybersecurity-Tradecraft/references.md at main - GitHub
Etherpad -lite – A real-time and collaborative note-taking application that can be ... Sqlmap – Automated vulnerability scanner focused on SQL Injection:
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Hi, @tomnomnom, this is clever. It completely makes sense that cache keys are of fixed length. In this way they stay dependent on the content, with practically non existent risk of collisions.
I’ll have a look tonight. Well done!
Hum … actually it has been already disclosed because it is used by some nasty guys.
Also, I don’t see how to report it in a non public way. The project description don’t mention anyway private feedback loop for security issues. How do you think would I had reported it?