Headline
CVE-2014-125075: Added validation for contact adding and changed use of prepared state… · ChrisMcMStone/gmail-servlet@5d72753
A vulnerability was found in gmail-servlet and classified as critical. This issue affects the function search of the file src/Model.java. The manipulation leads to sql injection. The name of the patch is 5d72753c2e95bb373aa86824939397dc25f679ea. It is recommended to apply a patch to fix this issue. The identifier VDB-218021 was assigned to this vulnerability.
@@ -48,36 +48,56 @@ public String search(String forename, String surname, String contactemail) throw String query; if (forename.isEmpty() && surname.isEmpty()) { query = ""; } else if(forename.isEmpty()) { } else if (forename.isEmpty()) { query = “familyname LIKE '%” + surname + "’ and"; } else if(surname.isEmpty()) { } else if (surname.isEmpty()) { query = “forename LIKE '%” + forename + "’ and "; } else { query = “forename LIKE '%” + forename + “’ and familyname LIKE '%” + surname + "’ and"; }
PreparedStatement ps = conn.prepareStatement(“SELECT * FROM contactinfo WHERE " + query + " contactemailaddress = '” + contactemail + “’”); ResultSet rs = ps.executeQuery(); StringBuilder result = new StringBuilder(“<h3>Search results…</h3><table class=\"result-table\">” + “<tr>” + “<th>Forename</th> <th>Surname</th> <th>Email</th>” + “</tr>”); while(rs.next())
{ result.append(“<tr><td>”); result.append(rs.getString(2)); result.append(“</td><td>” + rs.getString(3)); result.append(“</td><td>” + rs.getString(4) + “</td></tr>”); } PreparedStatement ps = conn.prepareStatement(“SELECT * FROM contactinfo WHERE ? contactemailaddress = ?”); ps.setString(1, query); ps.setString(2, contactemail); ResultSet rs = ps.executeQuery(); StringBuilder result = new StringBuilder(“<h3>Search results…</h3><table class=\"result-table\">” + “<tr>” + “<th>Forename</th> <th>Surname</th> <th>Email</th>” + “</tr>”); while (rs.next()) { result.append(“<tr><td>”); result.append(rs.getString(2)); result.append(“</td><td>” + rs.getString(3)); result.append(“</td><td>” + rs.getString(4) + “</td></tr>”); }
result.append(“</table”); return result.toString(); } result.append(“</table”); conn.close(); return result.toString(); }
public void addContact(String firstname, String surname, String email, String user) throws SQLException {
PreparedStatement checkDuplicate = conn.prepareStatement(“SELECT * FROM contactinfo WHERE emailaddress = ?”); checkDuplicate.setString(1, email); ResultSet rs = checkDuplicate.executeQuery(); if (rs.next()) { throw new SQLException(“Contact already exists”); } PreparedStatement newStudent = conn.prepareStatement("INSERT INTO " + “contactinfo (forename, familyname, emailaddress, contactemailaddress) VALUES ('” + firstname + “’, '” + surname + “’, '” + email + “’, '” + user + "’)"); "contactinfo (forename, familyname, emailaddress, contactemailaddress) VALUES (?, ?, ?, ?)"); newStudent.setString(1, firstname); newStudent.setString(2, surname); newStudent.setString(3, email); newStudent.setString(4, user); newStudent.execute();
conn.close(); } }
//Todo sort out errors, when logging in unsuccessfully etc //Todo format message sent successfully page //Todo add some JS to allow user to click search results and send an email to that address