magento_extension icon indicating copy to clipboard operation
magento_extension copied to clipboard

Published 20 hours ago verified publisher icon agnostack

sql injection vulnerability in /zendesk/api/users

Open manueldimmler opened this issue 3 years ago • 2 comments

There is an sql injection vulnerability in /zendesk/api/users with low impact because it's behind the authentication.

People knowing the API token are able to query any information they want from the database using the 'sort' parameter. Because it's not possible to use UNION after ORDER BY, you have to guess one character after another using CASE WHEN.

Example guessing the first character of the password hash from user with id 1: GET zendesk/api/users?sort=(CASE WHEN (SELECT SUBSTRING(password, 1, 1) FROM admin_user WHERE user_id = 1) = 'a' THEN firstname ELSE lastname END)

This could be fixed adding a default fallback to the switch statement to prevent inserting custom sql commands in https://github.com/agnostack/magento_extension/blob/develop/src/app/code/community/Zendesk/Zendesk/controllers/ApiController.php#L246

manueldimmler avatar Apr 04 '22 09:04 manueldimmler

Thanks for calling this out @manueldimmler - are you able to submit a PR for it by chance?

agrohs avatar Feb 08 '23 20:02 agrohs

cc: @rsbowers

agrohs avatar Apr 04 '23 22:04 agrohs