Data Validation Bugs (DVL) Examples

CVE-2020-5902 – BIG-IP TMUI RCE

BF Taxonomy

DVL (Validate)

Cause: Improper Operation - Missing

Attributes:
Mechanism: Format (e.g., via “.*\.\.;.*“ regular expression)
Source Code: Codebase (login.jsp)
Execution Space: Admin
State: Transferred (via network)

Consequence: Injection Error - File Injection (Path Traversal)

Brief Description:

BIG-IP is a family of server-side products from F5 Inc. focused on availability, performance, and security. In several versions, its Traffic Management Interface (TMUI), known as the BIG-IP Configuration utility, allows Remote Code Execution (RCE).

Analysis

TMUI of BIG-IP accepts /..;/ via the login interface /tmui/login.jsp. However, the Apache Tomcat treats /..;/ as /../, which is a relative path for going one directory up. This allows a malicious user to bypass authentication, save and open files, and run arbitrary commands on the host.

The Fix

To fix the bug, input validation (e.g., via the ”.*\.\.;.*” regular expression) should be added to reject any /..;/ elements.

CVE-2019-10748 – Sequelize SQL Injection

BF Taxonomy

DVL (Sanitize)

Cause: Improper Operation - Missing

Attributes:
Mechanism: Format
Source Code: Codebase (query-generator.js)
Execution Space: Local
State: Transferred (via network)
Object Location: Heap

Consequence: Injection Error - Query Injection (SQL Injection)

Brief Description:

Sequelize is an Object-Relational Mapper for Node.js. It supports Postgres, MySQL, MariaDB, SQLite, and Microsoft SQL Server; it facilitates transaction support, relations, and lazy loading. In several versions query-generator.js allows SQL injection.

Analysis

User input path is not sanitized for MySQL/MariaDB syntax in a JSON (JavaScript Object Notation) object.

The Fix

To fix the bug, the developers check the input paths syntax and sanitize it.