SQL Injection Vulnerability

Sean Carte

unread,

Oct 20, 2020, 4:10:54 AM10/20/20

to DSpace Technical Support

I'm running DSpace-CRIS 5.10 and have received a message from our IT dept alerting me to an SQL injection vulnerability on our repository.

It seems the auditors were using HighBond, but they haven't given me any details as to how they assessed this vulnerability.

I'm supposed to do something about it, but I don't know what.

Is there a known vulnerability in DSpace-CRIS 5.10?

/dspacecris-dut/bin/dspace version
DSpace version: CRIS-5.10.0-SNAPSHOT
SCM revision: 8390fec2945050541427ef1249dbbbd56b1ccdc4
SCM branch: fix-sword
OS: Linux(amd64) version 4.4.0-190-generic

Discovery: enabled.
JRE: Private Build version 1.8.0_265
Ant version: Apache Ant(TM) version 1.9.6 compiled on July 20 2018
Maven version: 3.3.9
DSpace home: /dspacecris-dut

Sean Carte

unread,

Oct 20, 2020, 2:38:38 PM10/20/20

to DSpace Technical Support

I just did a search for

'Bobby; DROP TABLE "bitstream";'

That didn't seem to do anything too catastrophic, apart from finding results.

dc...@prosentient.com.au

unread,

Oct 20, 2020, 8:05:38 PM10/20/20

to Sean Carte, DSpace Technical Support

I can’t speak to DSpace-CRIS 5.10, but that’s a vague message from the IT dept. I would suggest going back to them and asking for more details. A good auditor will document how they exploited the vulnerability, so that you can fix it.

David Cook

Software Engineer

Prosentient Systems

72/330 Wattle St

Ultimo, NSW 2007

Australia

Office: 02 9212 0899

Online: 02 8005 0595

--
All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPWr8AO5xqkkTE1SbzXK%3D6xuswSS%2BmmfBPoj9OH3s0w4g%40mail.gmail.com.

dc...@prosentient.com.au

unread,

Oct 20, 2020, 8:12:18 PM10/20/20

to Sean Carte, DSpace Technical Support

Without more information from your IT dept and the auditor, you would have to guess at this one at any field that allows user input.

Although someone more familiar with DSpace CRIS might have more information.

Another thing you can try is looking at issue trackers. I don’t see anything at the DSpace CRIS tracker https://github.com/4Science/DSpace/issues, and I don’t see anything obvious when searching the DSpace issue tracker: https://jira.lyrasis.org/projects/DS/issues.

David Cook

Software Engineer

Prosentient Systems

72/330 Wattle St

Ultimo, NSW 2007

Australia

Office: 02 9212 0899

Online: 02 8005 0595

From: dspac...@googlegroups.com <dspac...@googlegroups.com> On Behalf Of Sean Carte

Sent: Wednesday, 21 October 2020 5:38 AM
To: DSpace Technical Support <dspac...@googlegroups.com>

--

All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPQ9-Bq4agJASMvekOho7rgtokLk4C3DQgLq1Jr%3Dy1O%3DA%40mail.gmail.com.

Sean Carte

unread,

Oct 21, 2020, 2:39:20 AM10/21/20

to dc...@prosentient.com.au, DSpace Technical Support

Thanks, David. That is helpful; I was thinking along similar lines, but didn't know if I was in the right. I will revert to our IT dept.

emilio lorenzo

unread,

Oct 21, 2020, 3:32:30 AM10/21/20

to dspac...@googlegroups.com

in any case, I think that information about vulnerabilities must be keep off the public lists,... the "group" has mechanisms to deal with these issues.

it is only an idea...

BEST

Emilio

--
All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPWr8AO5xqkkTE1SbzXK%3D6xuswSS%2BmmfBPoj9OH3s0w4g%40mail.gmail.com.

elorenzo.vcf

Tim Donohue

unread,

Oct 21, 2020, 10:15:35 AM10/21/20

to emilio lorenzo, dspac...@googlegroups.com

All,

Per our DSpace Software Support policy, we have a recommended way to report security issues privately to the developer team:
https://wiki.lyrasis.org/display/DSPACE/DSpace+Software+Support+Policy

To analyze a potential security issue, we require some sort of proof or example way to exploit the vulnerability. At this time, there are no known SQL injection vulnerabilities related to DSpace.

That said, the above support policy does NOT apply to DSpace-CRIS, which is a third-party product built/supported/maintained by 4Science. You'd need to contact 4Science directly regarding any security issues/reports with DSpace-CRIS.

Thanks,

Tim

From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of emilio lorenzo <elor...@arvo.es>
Sent: Wednesday, October 21, 2020 2:32 AM
To: dspac...@googlegroups.com <dspac...@googlegroups.com>
Subject: Re: [dspace-tech] SQL Injection Vulnerability

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/81bc6792-7978-a3b2-1bf2-82a239fc245c%40arvo.es.

Sean Carte

unread,

Oct 22, 2020, 2:18:43 AM10/22/20

to Tim Donohue, emilio lorenzo, dspac...@googlegroups.com

Good points; thanks, Tim and Emilio. I wasn't about to report a vulnerability, I was really just asking for advice on how to address this. (I could have phrased my question better.)

As you suggest, if IT or the auditors do supply anything concrete, I will take it up directly with 4Science.

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/DM5PR2201MB1148B556D17188670CF03876ED1C0%40DM5PR2201MB1148.namprd22.prod.outlook.com.

Marc

unread,

Oct 23, 2020, 6:49:52 AM10/23/20

to Sean Carte, Tim Donohue, emilio lorenzo, dspac...@googlegroups.com

Dear Sean,

We would be interested in the outcome of this, as we have a DSpace CRIS system about to be released.

Kind regards
Marc

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNt4-3_HUofq6Ahn_AMS9O81Ddv5h0DB6dgObhSvw0rnA%40mail.gmail.com.

Bollini Andrea

unread,

Oct 26, 2020, 11:18:18 AM10/26/20

to brouar...@gmail.com, sean....@gmail.com, dspac...@googlegroups.com, tim.d...@lyrasis.org, elor...@arvo.es

Sorry to react so late on this thread.
What Tim recommend is of course right, as dspace-cris is based on
DSpace there is a high chance that the issue if any is applicable also
to a plan dspace so my preferred way to deal with security report would
be in according to the DSpace policy

https://wiki.lyrasis.org/display/DSPACE/DSpace+Software+Support+Policy

If the incident is reported directly to us (4Science) we will do our
best to investigate it as soon as possible and report back to the
dspace dev team if it also apply here, but again as my experience is
that there is a 99% overlap so it is better to get all informed sooner.

BTW we got more details and the reported issue is a false positive.

Andrea

> > > https://groups.google.com/d/msgid/dspace-tech/81bc6792-7978-a3b2-1bf2-82a239fc245c%40arvo.es
> > > .

> > > --
> > > All messages to this mailing list should adhere to the DuraSpace
> > > Code of Conduct:
> > > https://duraspace.org/about/policies/code-of-conduct/
> > > ---
> > > You received this message because you are subscribed to the
> > > Google Groups "DSpace Technical Support" group.
> > > To unsubscribe from this group and stop receiving emails from it,
> > > send an email to dspace-tech...@googlegroups.com.
> > > To view this discussion on the web visit

> > > https://groups.google.com/d/msgid/dspace-tech/DM5PR2201MB1148B556D17188670CF03876ED1C0%40DM5PR2201MB1148.namprd22.prod.outlook.com
> > > .

> >
> > --
> > All messages to this mailing list should adhere to the DuraSpace
> > Code of Conduct:
> > https://duraspace.org/about/policies/code-of-conduct/
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "DSpace Technical Support" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to dspace-tech...@googlegroups.com.
> > To view this discussion on the web visit

> > https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNt4-3_HUofq6Ahn_AMS9O81Ddv5h0DB6dgObhSvw0rnA%40mail.gmail.com
> > .
>
> --
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato
> non infetto.
> Clicca qui per segnalarlo come spam.

--
Questo messaggio e' stato analizzato da Libra ESVA ed e' risultato non infetto.
This message was scanned by Libra ESVA and is believed to be clean.

Reply all

Reply to author

Forward