Ormar SQL Injection Vulnerability in Aggregate Functions

A SQL injection vulnerability has been identified in Ormar, an asynchronous ORM for Python, specifically in versions 0.9.9 prior to 0.22.0. The issue arises in the `min()` and `max()` aggregate functions, which accept user-supplied column names without proper validation. This flaw allows an attacker to inject arbitrary SQL, potentially leading to unauthorized access to database contents. The vulnerability is easily exploitable through public API endpoints that use these aggregate functions.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, enabling attackers to execute injected SQL commands and access or manipulate database information. In the provided proof of concept, this vulnerability was exploited to extract sensitive data, including administrative credentials and API keys, through a public API endpoint.

Reproduction

The vulnerability can be reproduced by using an Ormar-based FastAPI application with SQLite as the database. After setting up the application and populating the database with sample data, including an `admin_users` table with sensitive information, the vulnerable endpoint can be accessed. Injecting crafted strings into the `min()` or `max()` functions through the `/items/stats` endpoint exploits the vulnerability, allowing for SQL injection and extraction of database contents.

Remediation

Users are advised to upgrade to Ormar version 0.23.0, which addresses the vulnerability by implementing proper column name validation for the `min()` and `max()` aggregate functions.