Tirreno Blind SQL Injection Vulnerability in Admin API LoadUsers Endpoint

A blind SQL injection vulnerability has been identified in Tirreno version 0.9.5, specifically within the Admin API 'loadUsers' endpoint. This vulnerability allows authenticated users to execute malicious SQL queries by injecting payloads into the 'columns[0][data]' parameter. The injection occurs because user-supplied input is incorporated into SQL queries without adequate validation or parameterization. Exploitation of this vulnerability could lead to the extraction of database metadata, user account information, and sensitive application data.

Impact

Exploitation of this vulnerability allows for blind SQL injection, where an attacker can infer and extract data from the database by manipulating SQL queries through the affected API endpoint. This could include database metadata, user accounts, roles, permissions, and sensitive application data.

Reproduction

To reproduce this vulnerability, send a request to the '/admin/loadUsers' API endpoint with an injected payload in the 'columns[0][data]' parameter. The payload should be crafted to exploit the SQL injection vulnerability, such as by using a 'CASE' statement that introduces a delay based on the database response. This confirms the injection and can be used to extract data by iterating through database information, one character at a time.

Remediation

Users are advised to update to Tirreno version 0.9.6 or later, where this vulnerability has been patched. The latest version can be downloaded from the Tirreno GitHub repository.