SQLBot Missing Authentication Vulnerability in uploadExcel Endpoint Allowing Arbitrary File Upload and Data Injection

A missing authentication vulnerability has been identified in SQLBot versions prior to 1.5.0, specifically in the /api/v1/datasource/uploadExcel endpoint. This vulnerability allows remote unauthenticated attackers to upload arbitrary Excel or CSV files, which are then parsed and injected directly into the PostgreSQL database. The endpoint is whitelisted for authentication, bypassing token validation. Exploitation of this vulnerability could lead to unauthorized data injection, with potential consequences such as stored cross-site scripting attacks, data poisoning of AI components, database pollution, and disk exhaustion, as uploaded files are not deleted.

Impact

Exploitation allows unauthenticated attackers to inject arbitrary data into the application's database, potentially leading to stored cross-site scripting attacks, data poisoning of AI components, database pollution, and disk exhaustion due to unmonitored file uploads.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/v1/datasource/uploadExcel endpoint with a file parameter containing a malicious CSV file. The request can be made using a tool like curl. The expected response is an HTTP 200 status with a JSON payload confirming the upload.

Remediation

Upgrade SQLBot to version 1.5.0, where this vulnerability has been fixed.