{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/daptin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["daptin/daptin"],"_cs_severities":["critical"],"_cs_tags":["sqli","daptin","github","fuzzy-search"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eDaptin versions up to and including 0.11.4 are susceptible to a SQL injection vulnerability within the \u003ccode\u003eprocessFuzzySearch\u003c/code\u003e function located in \u003ccode\u003eserver/resource/resource_findallpaginated.go\u003c/code\u003e. This flaw allows any authenticated user, including those self-registered without administrative oversight, to inject arbitrary SQL commands by manipulating the \u003ccode\u003ecolumn\u003c/code\u003e parameter during a fuzzy search. Specifically, when a GET request is made to \u003ccode\u003e/api/\u0026lt;entity\u0026gt;\u003c/code\u003e with the \u003ccode\u003eoperator\u003c/code\u003e set to \u003ccode\u003efuzzy\u003c/code\u003e, \u003ccode\u003efuzzy_any\u003c/code\u003e, or \u003ccode\u003efuzzy_all\u003c/code\u003e, the application fails to properly sanitize the column name before incorporating it into a raw SQL query. This vulnerability enables malicious actors to bypass column whitelists, potentially granting them unauthorized access to sensitive data within the entire database. The issue is distinct from the vulnerability patched in GHSA-rw2c-8rfq-gwfv and requires a separate patch to address the vulnerable fuzzy search path.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers a new user account, leveraging the default self-signup feature which requires no admin approval.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates with the newly created account to obtain a valid JWT (JSON Web Token).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request to \u003ccode\u003e/api/\u0026lt;entity\u0026gt;\u003c/code\u003e, setting the \u003ccode\u003eoperator\u003c/code\u003e parameter to \u003ccode\u003efuzzy\u003c/code\u003e (or \u003ccode\u003efuzzy_any\u003c/code\u003e, \u003ccode\u003efuzzy_all\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects a SQL payload into the \u003ccode\u003ecolumn\u003c/code\u003e parameter using string formatting. For example: \u003ccode\u003ereference_id) OR 1=1 OR LOWER(world.reference_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted \u003ccode\u003ecolumn\u003c/code\u003e parameter bypasses the column name whitelist check due to the execution path going through \u003ccode\u003eprocessFuzzySearch\u003c/code\u003e instead of \u003ccode\u003eprocessQueryFilter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload is passed to \u003ccode\u003egoqu.L\u003c/code\u003e, which incorporates it directly into a raw SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe database executes the malicious SQL query, potentially leaking sensitive information or allowing for data manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts data using boolean-blind SQL injection, exploiting the vulnerability to read data from all tables within the database, including credential data (emails, bcrypt password hashes) in the \u003ccode\u003euser_account\u003c/code\u003e table.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with only a valid JWT to read the entire database via boolean-blind extraction. This includes sensitive information such as user credentials (emails and bcrypt password hashes). The self-signup feature of Daptin means that no administrative involvement is needed for an attacker to create an account and exploit this vulnerability.  The extraction rate is approximately 7 HTTP requests per character, making full database extraction feasible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch that adds a \u003ccode\u003eGetColumnByName\u003c/code\u003e whitelist check in \u003ccode\u003eprocessFuzzySearch\u003c/code\u003e (line 1484) to prevent SQL injection via the \u003ccode\u003ecolumn\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for the \u003ccode\u003ecolumn\u003c/code\u003e parameter in the \u003ccode\u003eprocessFuzzySearch\u003c/code\u003e function to prevent the injection of arbitrary SQL commands.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Daptin Suspicious Fuzzy Search Query\u0026rdquo; to detect potential exploitation attempts based on the presence of SQL syntax in the \u003ccode\u003equery\u003c/code\u003e parameter of HTTP requests to the \u003ccode\u003e/api/\u0026lt;entity\u0026gt;\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (logsource: webserver) for requests to \u003ccode\u003e/api/world\u003c/code\u003e or other entities that include the \u003ccode\u003efuzzy\u003c/code\u003e operator and contain suspicious characters or SQL syntax in the \u003ccode\u003equery\u003c/code\u003e parameter, as detected by the \u0026ldquo;Daptin Suspicious Fuzzy Search Query\u0026rdquo; rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T22:10:11Z","date_published":"2026-05-06T22:10:11Z","id":"/briefs/2024-01-daptin-sqli/","summary":"Daptin versions up to 0.11.4 are vulnerable to SQL injection, where an authenticated user can inject unvalidated column names into raw SQL via the `processFuzzySearch` function, allowing them to read the entire database.","title":"Daptin SQL Injection Vulnerability via Fuzzy Search","url":"https://feed.craftedsignal.io/briefs/2024-01-daptin-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Daptin","version":"https://jsonfeed.org/version/1.1"}