[hibernate-issues] [Hibernate-JIRA] Created: (HHH-6672) Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue.
Peter Schuler (JIRA)
noreply at atlassian.com
Tue Sep 20 15:47:35 EDT 2011
Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue.
------------------------------------------------------------------------------------------------------------------------------
Key: HHH-6672
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-6672
Project: Hibernate Core
Issue Type: Bug
Components: query-hql
Affects Versions: 4.0.0.CR3, 3.6.7
Environment: Mysql Database
Reporter: Peter Schuler
Inserting the word 'union' anywhere in a HQL or JP-QL query truncates the query string. I consider this a security issue because it makes exploiting HQL of JP-QL injections easier.
For example:
from Persoon p where p.persoonId = '1' --> returns just 1 entry.
But:
from Persoon p union where p.persoonId = '1' --> ignores the part after union and returns the whole table.
However:
from Persoon p unionS where p.persoonId = '1' --> or any other word results in a QuerySyntaxException as is expected.
This behaviour is documented in HHH-1050. It looks like this in a halfway implemented feature.
This undocumented behaviour is a security risk because it makes exploiting JP-QL or HQL injections a lot easier. If you can inject into the query string you can easily truncate the remainder of the query. Even if the remainder will somehow restrict the the query result.
This can be fixed changing the behaviour of the query parser by throwing a QuerySyntaxException.
ps: I'll try to add a test case but I hope I've provided enough information.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the hibernate-issues
mailing list