Disable RPC.
October 25, 2008Oscommerce Sql Injection
October 26, 2008I am going to be very clear about his today. In the past I posted vulnerabilities in many websites including websites from companies who say they secure web applications, or store web application vulnerabilities and even those who give out certifications like (ISC)2, and I left out those who talk about application security while using insecure software packages to speak about it, because yeah, it's not their fault is it? What does that say about them? Well, for starters it's the same thing like having a police officer committing a crime. It's about time for some introspective analysis for each and everyone in the web application security field before this stuff get's further out of control. No wonder no one takes web application security and it's experts serious, look at the mess around you and your application security vendor who fails to secure himself. So when I see the secure coding group from cert talk about secure coding standards[1] I get really disappointed when they are vulnerable themselves. It's not like we are dealing with a space mission to Mars for example, it's just web application security for fuck sake! something that can be explained to any 5th grader on four sheets of paper.
Judge for yourself, always useful to gain some extra SQL practice in real life:
A system error has occurred � our apologies!
Please ask your Confluence administrator to create a support issue on Atlassian's support system at http://support.atlassian.com with the following information:
1. a description of your problem and what you were doing at the time it occurred
2. a copy of the error and system information found below
3. a copy of the application logs (if possible).
Your Confluence administrator can use the support request form to create a support ticket which will include this information.
We will respond as promptly as possible.
Thank you!
Return to site homepage�
Cause
java.lang.IllegalArgumentException: Invalid search query found in specified search.
at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:74)
caused by: java.lang.IllegalArgumentException: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">"
at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:46)
caused by: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">"
at org.apache.lucene.queryParser.QueryParser.parse(QueryParser.java:153)
Stack Trace:[hide]
java.lang.IllegalArgumentException: Invalid search query found in specified search.
at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:74)
at com.atlassian.confluence.search.actions.SearchSiteAction.exactUsernameSearch(SearchSiteAction.java:286)
at com.atlassian.confluence.search.actions.SearchSiteAction.getContributors(SearchSiteAction.java:237)
at com.atlassian.confluence.search.actions.SearchSiteAction.validate(SearchSiteAction.java:158)
at com.opensymphony.xwork.interceptor.DefaultWorkflowInterceptor.intercept(DefaultWorkflowInterceptor.java:44)
at com.atlassian.confluence.core.ConfluenceWorkflowInterceptor.intercept(ConfluenceWorkflowInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.security.interceptors.CaptchaInterceptor.intercept(CaptchaInterceptor.java:46)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:48)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.core.CancellingInterceptor.intercept(CancellingInterceptor.java:23)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:54)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.pages.actions.CommentAwareInterceptor.intercept(CommentAwareInterceptor.java:43)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:120)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:67)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:39)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:25)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:97)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)
at com.opensymphony.webwork.dispatcher.ServletDispatcher.serviceAction(ServletDispatcher.java:229)
at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
at com.atlassian.confluence.util.profiling.ProfilingPageFilter.parsePage(ProfilingPageFilter.java:153)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:54)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.confluence.jmx.JmxFilter.doFilter(JmxFilter.java:109)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.core.filters.ServletContextThreadLocalFilter.doFilter(ServletContextThreadLocalFilter.java:21)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.confluence.util.LoggingContextFilter.doFilter(LoggingContextFilter.java:49)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.confluence.util.UserThreadLocalFilter.doFilter(UserThreadLocalFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:192)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.seraph.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:120)
at com.atlassian.confluence.util.AbstractBootstrapHotSwappingFilter.doFilter(AbstractBootstrapHotSwappingFilter.java:28)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:35)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:72)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.springframework.orm.hibernate.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:170)
at com.atlassian.spring.filter.FlushingSpringSessionInViewFilter.doFilterInternal(FlushingSpringSessionInViewFilter.java:29)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:75)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:142)
at com.atlassian.core.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:27)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.confluence.core.datetime.RequestTimeThreadLocalFilter.doFilter(RequestTimeThreadLocalFilter.java:34)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.confluence.util.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:25)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:94)
at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:64)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:33)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogValve.java:482)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.IllegalArgumentException: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">"
at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:46)
at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:15)
at com.atlassian.confluence.search.v2.lucene.DelegatingLuceneSearchMapper.convertToLuceneQuery(DelegatingLuceneSearchMapper.java:30)
at com.atlassian.confluence.search.v2.lucene.mapper.BooleanQueryMapper.addSubQueries(BooleanQueryMapper.java:43)
at com.atlassian.confluence.search.v2.lucene.mapper.BooleanQueryMapper.convertToLuceneQuery(BooleanQueryMapper.java:29)
at com.atlassian.confluence.search.v2.lucene.DelegatingLuceneSearchMapper.convertToLuceneQuery(DelegatingLuceneSearchMapper.java:30)
at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:52)
... 113 more
Caused by: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">"
at org.apache.lucene.queryParser.QueryParser.parse(QueryParser.java:153)
at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:42)
... 119 more
Referer URL
Unknown
Confluence Application Information
Build Information
buildNumber: 1418
upTime: 2 days, 2 hours, 12 minutes, 11 seconds
devMode: false
version: 2.9.1
home: /var/lib/confluence
Unique ID: 0x0000011D5EDA2F53458D112A3234C9F2472F5C45C3AF54AE9C867DF600E1355
Server information
Application Server: Apache Tomcat/5.5.26
Servlet Version: 2.4
Database Dialect: com.atlassian.hibernate.dialect.MySQLDialect
Database Driver Name: com.mysql.jdbc.Driver
Database Driver Version: 5.0
Database Name: MySQL
Database Version: 4.1.22
Database Transaction Isolation: Repeatable read Database Latency: 0
Memory Information
Total Memory: 1016 MB
Used Memory: 913 MB
Free Memory: 103 MB
System Information
userName: tomcat
favouriteColour: Sangria
time: 08:05:12
javaVm: Java HotSpot(TM) Client VM
operatingSystemArchitecture: i386
date: Friday, 24 Oct 2008
operatingSystem: Linux 2.6.9-78.0.1.ELsmp
jvmVersion: 1.0
userTimezone: US/Eastern
fileSystemEncoding: UTF-8
jvmImplementationVersion: 1.5.0_16-b02
appServer: Apache Tomcat
javaVendor: Sun Microsystems Inc.
javaVersion: 1.5.0_16
javaRuntime: Java(TM) 2 Runtime Environment, Standard Edition
jvmVendor: Sun Microsystems Inc.
Cluster Information
Not clustered.
Plugins
* Add Content Menu Sections (confluence.menu.add, Version: 1.0)
* Admin Sections (confluence.sections.admin, Version: 1.0)
* Advanced Macros (confluence.macros.advanced, Version: 1.4.2)
* Attachment Actions (confluence.sections.attachments, Version: 1.0)
* Attachment Extractors (com.atlassian.confluence.plugins.attachmentExtractors, Version: 1.0-SNAPSHOT)
* Basic Macros (confluence.macros.basic, Version: 1.4)
* Browse Menu Items (confluence.sections.browse, Version: 1.0)
* Chart Plugin (confluence.extra.chart, Version: 1.11)
* Clickr Theme (com.atlassian.confluence.themes.clickr, Version: 2.2)
* Code Macro (confluence.macros.code, Version: 1.5)
* Comment Action Sections (confluence.comment.action, Version: 1.0)
* Confluence Atlassian Plugin Repository (confluence.repository.client, Version: 2.0.15)
* Confluence Attachments Plugin (confluence.extra.attachments, Version: 2.10)
* Confluence Classic Theme (com.atlassian.confluence.themes.classic, Version: 2.0)
* Confluence Contributors Plugin (com.atlassian.confluence.contributors, Version: 1.2)
* Confluence Usage Stats (com.atlassian.confluence.ext.usage, Version: 0.8)
* Content Action Menu Sections (confluence.content.action.menu, Version: 1.0)
* Content Buttons (confluence.sections.page.temp, Version: 1.0)
* Core Extractors (confluence.extractors.core, Version: 1.4)
* Core Listeners (confluence.listeners.core, Version: 1.3)
* Core Path Converters (confluence.converters.core, Version: 1.0)
* Core Startup and Shutdown (confluence.lifecycle.core, Version: 1)
* Dashboard Macros (confluence.macros.dashboard, Version: 1.4.2)
* Default Theme (com.atlassian.confluence.themes.default, Version: 1.0)
* Dynamic Task List 2 Plugin (confluence.extra.dynamictasklist2, Version: 3.0.6)
* Edit Profile Sections (confluence.sections.profile.edit, Version: 1.0)
* French language pack (confluence.languages.fr_FR, Version: 1.8)
* German language pack (confluence.languages.de_DE, Version: 1.3)
* Global Labels Sections (confluence.sections.labels, Version: 1.0)
* Information Macros (confluence.extra.information, Version: 1.0)
* Layout Macros (confluence.extra.layout, Version: 1.1)
* Left Navigation Theme (com.atlassian.confluence.themes.leftnavigation, Version: 2.0)
* Live Search Macros (confluence.extra.livesearch, Version: 2.8)
* News Tabs (confluence.sections.news, Version: 1.0)
* Page Operations (confluence.sections.page.operations, Version: 1.0)
* Page Tabs (confluence.sections.page, Version: 1.0)
* Page Tabs (confluence.search.mappers.lucene, Version: 1.0)
* Page Tree (com.atlassian.confluence.plugins.pagetree, Version: 1.10)
* Page View Links (confluence.sections.page.actions, Version: 1.0)
* Profile Tabs (confluence.sections.profile, Version: 1.0)
* Search Web Interface (confluence.sections.search.view, Version: 1.0)
* Space Actions Sections (confluence.sections.space.actions, Version: 1.0)
* Space Admin Sections (confluence.sections.space.admin, Version: 1.0)
* Space Advanced Sections (confluence.sections.space.advanced, Version: 1.0)
* Space Browse Sections (confluence.sections.space.browse, Version: 1.0)
* Space Item Tabs (confluence.sections.space, Version: 1.0)
* Space Labels Sections (confluence.sections.space.labels, Version: 1.0)
* Space Pages Sections (confluence.sections.space.pages, Version: 1.0)
* System Web Resources (confluence.web.resources, Version: 1.0)
* Table of Contents Plugin (org.randombits.confluence.toc, Version: 2.4.8)
* Tabular Metadata (confluence.extra.masterdetail, Version: 2.7)
* TinyMCE Editor Plugin (com.atlassian.confluence.extra.tinymceplugin, Version: 3.0-rc2)
* User Lister (confluence.extra.userlister, Version: 2.4)
* User Menu Sections (confluence.user.menu, Version: 1.0)
* View Profile Web Interface (confluence.sections.profile.view, Version: 1.0)
* Wiki Renderer Components (confluence.renderer.components, Version: 1.0)
Request
Information
URL
https://www.securecoding.cert.org/confluence/500page.jsp
URI
/confluence/500page.jsp
Context Path
/confluence
Servlet Path
/500page.jsp
Query String
queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername=
Headers (Limited subset)
host
www.securecoding.cert.org
user-agent
Mozilla/1.0 (Windows; U; Windows NT 1.1; en-US; rv:2.9.0.3) Gecko/2002016217
keep-alive
300
connection
keep-alive
Attributes
javax.servlet.forward.request_uri
/confluence/dosearchsite.action
javax.servlet.forward.context_path
/confluence
javax.servlet.forward.servlet_path
/dosearchsite.action
javax.servlet.forward.path_info
/500page.jsp
javax.servlet.forward.query_string
queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername=
javax.servlet.error.message
javax.servlet.error.exception
java.lang.IllegalArgumentException: Invalid search query found in specified search.
os_securityfilter_already_filtered
true
com.atlassian.johnson.filters.JohnsonFilter_already_filtered
true
__sitemesh__using_stream
false
javax.servlet.error.request_uri
/confluence/dosearchsite.action
com.atlassian.gzipfilter.GzipFilter_already_filtered
true
javax.servlet.error.status_code
500
__sitemesh__filterapplied
true
javax.servlet.error.servlet_name
action
webwork.valueStack
com.opensymphony.xwork.util.OgnlValueStack@e2a5ac
Confluence-Request-Time
1224851735677
loginfilter.already.filtered
true
atlassian.core.seraph.original.url
/dosearchsite.action?queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername=
javax.servlet.jsp.jspException
java.lang.IllegalArgumentException: Invalid search query found in specified search.
sessioninview.FILTERED
true
Parameters (Limited subset)
queryString
">
">
contributorUsername
type
where
conf_all
lastModified
contributor
">
Confluence User
anonymous
^ Oops, besides this hideous blob of intelligence it also let us modify the SQL query. Finally something really interesing to discuss at those cocktail parties or is it?
[1] https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards
source: OWASP News
