Emoncms SQL Injection Vulnerability in Feed Insert Endpoint

A SQL injection vulnerability has been identified in the Emoncms project, specifically in versions 11.6.9 and later. The issue arises in the '/feed/insert.json' endpoint, where user-supplied input in the 'data' query parameter is not properly sanitized. This flaw allows attackers to execute arbitrary SQL commands under certain conditions.

Impact

Exploitation of this vulnerability could lead to unauthorized SQL command execution, potentially allowing attackers to corrupt data, retrieve sensitive information, cause a denial-of-service, or compromise the entire database.

Reproduction

To reproduce this vulnerability, first create a record in the 'feed' table with the 'engine' column set to '0'. This can be done by sending a request to the '/feed/create.json' endpoint with the appropriate parameters. Once the record is in place, send a GET request to the '/feed/insert.json' endpoint, including the 'data' parameter with a crafted payload that exploits the SQL injection vulnerability. The injected SQL payload will be executed as part of the SQL query, demonstrating the vulnerability.

Remediation

It is recommended to use parameterized queries to prevent SQL injection vulnerabilities. Additionally, input validation and sanitization should be implemented to reject dangerous input patterns. Using an Object-Relational Mapping (ORM) tool can also help mitigate SQL injection risks.