DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter PostgreSQL SQL Injection Vulnerability

A SQL injection vulnerability has been identified in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The vulnerability exists in the 'status_sql.php' file, where SQL UPDATE queries are constructed by directly concatenating user-supplied 'sw1' and 'sw2' parameters. This approach bypasses the use of parameterized queries or proper input sanitization, leaving the application open to SQL injection attacks. Although PostgreSQL's 'pg_exec' function does not support stacked queries, attackers can exploit this vulnerability by injecting subqueries to exfiltrate data and use verbose error messages for reconnaissance.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to exfiltrate data from the database by injecting subqueries into the 'sw2' parameter.

Reproduction

To reproduce this vulnerability, send a POST request to the 'status_sql.php' endpoint with the 'sw1' and 'sw2' parameters. The values of these parameters should be crafted to include SQL injection payloads, such as subqueries that exfiltrate data from the database. The injected SQL will be executed, and any results can be accessed through the application's response.

Remediation

The vulnerability can be remediated by using parameterized queries instead of concatenating user input directly into SQL commands. This approach ensures that user-supplied data is treated as data only, not executable code.