Bug / SQL injection? Monitoring Windows Event Logs and NetXMS Server SQL errors

Started by hkusulja, May 08, 2014, 03:32:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

hkusulja

May 08, 2014, 03:32:02 PM
Hi,
I have configured monitoring Windows Event Logs, I do log message description (%m).

However, my NetXMS server started throwing events SYS_DB_QUERY_FAILED [52]
Example of  Event Message:

Code Select

Database query failed (Query: INSERT INTO alarm_events (alarm_id,event_id,event_code,event_name,severity,source_object_id,event_timestamp,message) VALUES (?,?,?,?,?,?,?,?); Error: [Microsoft][SQL Server Native Client 10.0][SQL Server]Violation of PRIMARY KEY constraint 'PK__alarm_ev__E6249E6BFEDA1E4D'. Cannot insert duplicate key in object 'dbo.alarm_events'. The duplicate key value is (1704, 64513).)
AlarmText: Database query failed (Query: INSERT INTO alarm_events (alarm_id,event_id,event_code,event_name,severity,source_object_id,event_timestamp,message) VALUES (?,?,?,?,?,?,?,?); Error: [Microsoft][SQL Server Native Client 10.0][SQL Server]Violation of PRIMARY KEY constraint 'PK__alarm_ev__E6249E6BFEDA1E4D'. Cannot insert duplicate key in object 'dbo.alarm_events'. The duplicate key value is (1704, 64513).) Custom message:
UserTag:


I believe that is due to my initial error message which has ' sign. So this is SQL injection to NetXMS alarm_events table.

So this is a huge bug and big security risk for all NetXMS users.
I belive this should be fixed ASAP.

Also, please correct me if I am wrong...

Victor Kirhenshtein

#1
May 08, 2014, 04:47:16 PM
No, it's not due to apostrophe character and SQL injection is not possible here. You can see that SQL statement is a prepared statement with placeholders - it is not constructed dynamically from external data. Also, error message clearly states "Violation of PRIMARY KEY constraint 'PK__alarm_ev__E6249E6BFEDA1E4D'. Cannot insert duplicate key in object 'dbo.alarm_events'. The duplicate key value is (1704, 64513)" - actual problem is that system for some reason tries to insert duplicate record into table. It is definitely a bug, but not a security threat.

Best regards,
Victor

hkusulja

#2
May 08, 2014, 04:54:06 PM
Quote from: Victor Kirhenshtein on May 08, 2014, 04:47:16 PM
No, it's not due to apostrophe character and SQL injection is not possible here. You can see that SQL statement is a prepared statement with placeholders - it is not constructed dynamically from external data. Also, error message clearly states "Violation of PRIMARY KEY constraint 'PK__alarm_ev__E6249E6BFEDA1E4D'. Cannot insert duplicate key in object 'dbo.alarm_events'. The duplicate key value is (1704, 64513)" - actual problem is that system for some reason tries to insert duplicate record into table. It is definitely a bug, but not a security threat.

Best regards,
Victor
Thank you for fast and correct response.
Now I understand this is NOT SQL injection / security hole.

Sometimes I also have: "String or binary data would be truncated", but there is lot of duplicate items.

Something maybe about wrong collecting windows event logs on a agent/client maybe or event processing rules :/

I do have latest available stable version.

Print
Go Up Pages1
User actions