{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/plugin-collection-sql/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["plugin-collection-sql"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","nocobase"],"_cs_type":"advisory","_cs_vendors":["nocobase"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@nocobase/plugin-collection-sql\u003c/code\u003e plugin for NocoBase is vulnerable to SQL injection. Specifically, the \u003ccode\u003echeckSQL()\u003c/code\u003e validation function, responsible for preventing dangerous SQL keywords, is applied to the \u003ccode\u003ecollections:create\u003c/code\u003e and \u003ccode\u003esqlCollection:execute\u003c/code\u003e endpoints, but is absent from the \u003ccode\u003esqlCollection:update\u003c/code\u003e endpoint. This oversight allows an attacker with collection management permissions (specifically, the \u003ccode\u003epm.data-source-manager.collection-sql\u003c/code\u003e snippet) to inject arbitrary SQL code. The attack involves creating a SQL collection with benign SQL, updating it with malicious SQL bypassing validation, and subsequently querying the collection to execute the injected SQL. This vulnerability, confirmed to affect versions 2.0.32 and earlier, can lead to unauthorized data access, privilege escalation, and potentially remote code execution on the database server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains collection management permissions, possibly through compromised credentials or exploiting another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to the \u003ccode\u003ecollections:create\u003c/code\u003e endpoint to create a new SQL collection with a benign SQL query, such as \u003ccode\u003e\u0026quot;SELECT 1 as id\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe NocoBase server processes the request, and the \u003ccode\u003echeckSQL()\u003c/code\u003e function validates the SQL query and allows the collection creation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the \u003ccode\u003esqlCollection:update\u003c/code\u003e endpoint, targeting the newly created collection. The request contains a SQL payload designed to extract sensitive data, such as \u003ccode\u003e\u0026quot;SELECT * FROM users\u0026quot;\u003c/code\u003e, or execute malicious functions.\u003c/li\u003e\n\u003cli\u003eThe NocoBase server processes the update request, but crucially, the \u003ccode\u003echeckSQL()\u003c/code\u003e function is not called, allowing the malicious SQL payload to be saved to the collection configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to the \u003ccode\u003e\u0026lt;collection_name\u0026gt;:list\u003c/code\u003e endpoint to query the updated collection.\u003c/li\u003e\n\u003cli\u003eThe NocoBase server executes the stored malicious SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe database returns the results of the malicious query, potentially containing sensitive data (e.g., user credentials), which is then returned to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can have severe consequences. Attackers can exfiltrate sensitive data, including user credentials and password hashes, leading to confidentiality breaches. Furthermore, by using database-specific functions such as \u003ccode\u003epg_read_file\u003c/code\u003e or \u003ccode\u003eLOAD_FILE\u003c/code\u003e, attackers can potentially read arbitrary files from the database server\u0026rsquo;s filesystem. The vulnerability can also be exploited for privilege escalation, allowing attackers to gain unauthorized access to other databases or execute arbitrary code on the database server. While the number of victims is unknown, any NocoBase instance running a vulnerable version of the \u003ccode\u003e@nocobase/plugin-collection-sql\u003c/code\u003e plugin is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the fix suggested in the advisory by adding \u003ccode\u003echeckSQL()\u003c/code\u003e to the \u003ccode\u003eupdate\u003c/code\u003e action within the \u003ccode\u003e@nocobase/plugin-collection-sql\u003c/code\u003e plugin.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect NocoBase SQL Injection via Update Endpoint\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring HTTP requests to the \u003ccode\u003esqlCollection:update\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003e@nocobase/plugin-collection-sql\u003c/code\u003e that includes the necessary validation on the \u003ccode\u003eupdate\u003c/code\u003e action, mitigating the risk of SQL injection.\u003c/li\u003e\n\u003cli\u003eImplement the more comprehensive defense measures recommended in the advisory, such as centralizing validation and strengthening the blocklist of dangerous SQL keywords to prevent future vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-nocobase-sql-injection/","summary":"A SQL injection vulnerability exists in nocobase plugin-collection-sql versions 2.0.32 and earlier due to missing validation on the sqlCollection:update endpoint, allowing attackers with collection management permissions to execute arbitrary SQL queries and exfiltrate data.","title":"NocoBase SQL Injection via Missing Validation on Update Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-24-nocobase-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Plugin-Collection-Sql","version":"https://jsonfeed.org/version/1.1"}