Issues » SQL Injection via REST api

Issue: SI-35
Date: Apr 12, 2016, 5:00:00 AM
Severity: Critical
Requires Admin Access: No
Fix Version: 3.3.2, 3.5
Credit: Nicky @ Tencent Security Platform Department
Description:

A SQL injection attack is possible via the Content REST api if the api is set to allow for anonymous content saving (which is the shipped default).

Mitigation:
  • Deny access to /api endpoints to anonymous/off network traffic
  • Set REST_API_REJECT_WITH_NO_USER=true in dotmarketing-config.properties
References