Impact
If the user selects in user preferences the "Recently Visited Packages" view for the index page, the website backend uses the value of search_history cookie as base64 encoded comma separated list of atoms, which are string loaded directly into the SQL query with atom = '%s' format string. As a result, any user can modify the browser's cookie value and inject most SQL queries. A proof of concept malformed cookie was generated that wiped the database or changed it's content.
On the database, only public data is stored, so there is no confidentiality issues to our users. If known that the database was modified, a full restoration of data is possible by performing a full database wipe and performing full update of all components.
Patches
5ae9ca83b73 commit id contains the patch
Workarounds
- Use a proxy to always drop the
search_history cookie until upgraded. The impact on user experience is low.
- Add sanitize to the value of
search_history cookie after base64 decoding it.
References
- https://gitweb.gentoo.org/sites/soko.git/commit/?id=5ae9ca83b735804f2bd405592983a73d7fcc42f4
arthurzam Analyst
Impact
If the user selects in user preferences the "Recently Visited Packages" view for the index page, the website backend uses the value of
search_historycookie as base64 encoded comma separated list of atoms, which are string loaded directly into the SQL query withatom = '%s'format string. As a result, any user can modify the browser's cookie value and inject most SQL queries. A proof of concept malformed cookie was generated that wiped the database or changed it's content.On the database, only public data is stored, so there is no confidentiality issues to our users. If known that the database was modified, a full restoration of data is possible by performing a full database wipe and performing full update of all components.
Patches
5ae9ca83b73commit id contains the patchWorkarounds
search_historycookie until upgraded. The impact on user experience is low.search_historycookie after base64 decoding it.References