Loopback: User model login endpoint: security issue with possible query injection

Created on 13 May 2019 · 6Comments · Source: strongloop/loopback

Hello Loopback!

I found some kind of vulnerability on POST /Users/login route from the default User model:

Description/Steps to reproduce

Send the following to /Users/login as credentials

{
    "email": {"neq": "foo" },
    "password": "anything you want"
}

When inspecting the resulting user here https://github.com/strongloop/loopback/blob/4b3a3a347c9176f1a86b00d229fc942bdc60c794/common/models/user.js#L254 , this results in the first user in the database being returned, which means we now only need to find the password.

Found in loopback v3.25.1

We would expect the email to be forced as a string.

Feel free to reach me if my description is unclear 😄

security

Source

gabjauf

The fix has been published last week in [email protected].

bajtos on 4 Jun 2019

👍4

We may also use the "regexp" functionality to test multiple users without having to know their exact email:

{
    "email": {"regexp": "^a" },
    "password": "anything you want"
}

gabjauf on 13 May 2019

@gabjauf I tried both the payloads, I am getting 401. Can you elaborate the steps?

hacksparrow on 29 May 2019

Oh, I got what you mean. Taking a look. Thanks for reporting.

hacksparrow on 29 May 2019

👍1

@hacksparrow I was seeing a 401 as well - could you elaborate on 'I got what you mean'?

fabien on 30 May 2019

👍1

The fix has been published last week in [email protected].

bajtos on 4 Jun 2019

👍4

Great works guys, thanks 👍

gabjauf on 5 Jun 2019

Was this page helpful?

0 / 5 - 0 ratings

How validate nested models on Loopback

rkmax · 3Comments

How to run task in only one worker when deploying on cluster

JoeShi · 4Comments

Issue of Amazon server configurations

ImanMh · 4Comments

Patch Attributes needs to be updated on default user model

devotox · 4Comments

Auto-increment is not created when using auto-migrate

nmklong · 3Comments