NodeBB SQL Injection Vulnerability in Search Categories API Endpoint

A SQL injection vulnerability has been identified in NodeBB version 4.3.0, specifically within the search-categories API endpoint. The issue arises because the search query parameter is not adequately sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the search-categories API endpoint with a crafted search query that exploits the lack of proper sanitation. Boolean-based blind payloads can be injected by manipulating the search parameter to include SQL injection techniques, such as tautology-based injections. Additionally, error-based payloads can be injected by causing the PostgreSQL database to return error messages, which can be used to extract information from the database.