Try ERPNext Buy Support Partners Foundation Foundation Members

SQL Injection in Report View

Hi all,

Currenly, I’m in process of implementing in Banking sector :). During the security penetration, security team discover a high security bug in Report View. Here is the log:

Form Dict: {
 "cmd": "frappe.desk.reportview.get", 
 "doctype": "Opportunity", 
 "fields": "[\"`tabOpportunity`.`name`\",\"`tabOpportunity`.`owner`\",\"`tabOpportunity`.`docstatus`\",\"`tabOpportunity`.`_user_tags`\",\"`tabOpportunity`.`_comments`\",\"`tabOpportunity`.`modified`\",\"`tabOpportunity`.`modified_by`\",\"`tabOpportunity`.`_assign`\",\"`tabOpportunity`.`_liked_by`\",\"`tabOpportunity`.`_seen`\",\"`tabOpportunity`.`title`\",\"`tabOpportunity`.`naming_series`\",\"`tabOpportunity`.`sale_stage`\",\"`tabOpportunity`.`customer_name`\",\"`tabOpportunity`.`opportunity_type`\",\"`tabOpportunity`.`enquiry_from`\",\"`tabOpportunity`.`status`\"]", 
 "filters": "[[\"Opportunity\",\"/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/etc/passwd\",\"=\",\"Open\"]]", 
 "order_by": "`tabOpportunity`.`modified` desc", 
 "page_length": "20", 
 "start": "0", 
 "user_settings": "{\"updated_on\":\"Fri Aug 10 2018 09:57:15 GMT+0700\",\"last_view\":\"List\",\"List\":{\"order_by\":\"`tabOpportunity`.`modified` desc\",\"filters\":[[\"Opportunity\",\"status\",\"=\",\"Open\"]]}}", 
 "with_comment_count": "true"
}
Request Error
Traceback (most recent call last):
  File "/home/frappe/frappe-bench/apps/frappe/frappe/app.py", line 62, in application
    response = frappe.handler.handle()
  File "/home/frappe/frappe-bench/apps/frappe/frappe/handler.py", line 22, in handle
    data = execute_cmd(cmd)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/handler.py", line 53, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 939, in call
    return fn(*args, **newargs)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/desk/reportview.py", line 21, in get
    data = compress(execute(**args), args = args)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/desk/reportview.py", line 26, in execute
    return DatabaseQuery(doctype).execute(*args, **kwargs)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/model/db_query.py", line 88, in execute
    result = self.build_and_run()
  File "/home/frappe/frappe-bench/apps/frappe/frappe/model/db_query.py", line 112, in build_and_run
    return frappe.db.sql(query, as_dict=not self.as_list, debug=self.debug, update=self.update)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/database.py", line 176, in sql
    self._cursor.execute(query)
  File "/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/pymysql/cursors.py", line 170, in execute
    result = self._query(query)
  File "/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/pymysql/cursors.py", line 328, in _query
    conn.query(q)
  File "/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/pymysql/connections.py", line 893, in query
    self._affected_rows = self._read_query_result(unbuffered=unbuffered)
  File "/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/pymysql/connections.py", line 1103, in _read_query_result
    result.read()
  File "/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/pymysql/connections.py", line 1396, in read
    first_packet = self.connection._read_packet()
  File "/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/pymysql/connections.py", line 1059, in _read_packet
    packet.check_error()
  File "/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/pymysql/connections.py", line 384, in check_error
    err.raise_mysql_exception(self._data)
  File "/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/pymysql/err.py", line 109, in raise_mysql_exception
    raise errorclass(errno, errval)
ProgrammingError: (1064, u"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%' at line 1")
2 Likes

Please send disclosure details to report@erpnext.com or create a github issue for this.

1 Like

@Tai_Tran1 hi can you elaborate on the bug?