Tarkov Data Manager Time-Based Blind SQL Injection Vulnerability

A time-based blind SQL injection vulnerability has been identified in the Tarkov Data Manager tool, specifically in the webhook edit and scanner API endpoints. This vulnerability allows authenticated attackers to execute arbitrary SQL queries against the MySQL database. The issue arises because the 'id' parameter in the WHERE clause of an SQL query is directly interpolated from the URL without proper sanitization, leaving it vulnerable to injection attacks. This vulnerability affects versions of Tarkov Data Manager through 2.0.0.

Impact

Exploitation of this vulnerability allows authenticated attackers to read, modify, or delete any data in the MySQL database used by Tarkov Data Manager.

Reproduction

To reproduce this vulnerability, an authenticated user with admin privileges can send a PUT request to the '/webhooks/:id' endpoint. The 'id' parameter can be manipulated to include a SQL injection payload, such as '3' AND SLEEP(3)-- -'. The response time will indicate whether the injection was successful, as it will be delayed by the duration specified in the payload.

Remediation

To address this vulnerability, use parameterized queries for all user input, including the 'id' parameter. Consult the SQL Injection Prevention Cheat Sheet from OWASP for guidance.