Summary

A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7)

Details

Vulnerability Recurrence

Start by constructing a malicious MySQL Server (using the open source project MySQL_Fake_Server here). Then go to the Jdbc connection trigger vulnerability

Vulnerability Analysis

This vulnerability is the bypass of CVE-2023-41887 vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part In com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection method in the final JdbcUrl structure That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Type: MySQL
Host: 127.0.0.1:3306,(host=127.0.0.1,port=3306,autoDeserialize=true,allowLoadLocalInfile=true,allowUrlInLocalInfile=true,allowLoadLocalInfileInPath=true),127.0.0.1
Port: 3306
User: win_hosts
Database: test