SQL Injection in galette/galette

Valid

Reported on

Nov 8th 2021


Description

Hi, I could find a SQL Injection when adding a user.

From OWASP : A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

Proof of Concept

From the administrator panel:

  1. Add a user and intercept the request
  2. In the id_status field place the payload (SELECT 1 FROM (SELECT(SLEEP(10)))a)-- - to perform a 10s sleep.

Impact

  • Access to the database in read/write mode
We are processing your report and will contact the galette team within 24 hours. 3 months ago
We have contacted a member of the galette team and are waiting to hear back 3 months ago
galette/galette maintainer validated this vulnerability 3 months ago
JoMar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Johan Cwiklinski confirmed that a fix has been merged on 8e9406 2 months ago
Johan Cwiklinski has been awarded the fix bounty