sql injection vulnerability in /zendesk/api/users
manueldimmler opened this issue · 2 comments
There is an sql injection vulnerability in /zendesk/api/users with low impact because it's behind the authentication.
People knowing the API token are able to query any information they want from the database using the 'sort' parameter. Because it's not possible to use UNION after ORDER BY, you have to guess one character after another using CASE WHEN.
Example guessing the first character of the password hash from user with id 1:
GET zendesk/api/users?sort=(CASE WHEN (SELECT SUBSTRING(password, 1, 1) FROM admin_user WHERE user_id = 1) = 'a' THEN firstname ELSE lastname END)
This could be fixed adding a default fallback to the switch statement to prevent inserting custom sql commands in https://github.com/agnostack/magento_extension/blob/develop/src/app/code/community/Zendesk/Zendesk/controllers/ApiController.php#L246
Thanks for calling this out @manueldimmler - are you able to submit a PR for it by chance?