Roxy-WI SQL Injection Vulnerability in haproxy_section_save Function

A SQL injection vulnerability has been identified in Roxy-WI versions prior to 8.2.6.4. The issue arises in the haproxy_section_save function, where the server_ip parameter is extracted from the URL path and passed through several function calls without proper sanitization. Ultimately, this parameter is interpolated into a SQL query using Python's string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 addresses this vulnerability by implementing proper validation and sanitization of the server_ip parameter.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, which could lead to unauthorized data access, data manipulation, and in some cases, remote code execution on the database server.

Reproduction

To reproduce this vulnerability, send a POST request to the /section/haproxy/<server_ip>/save endpoint, replacing <server_ip> with a crafted payload that includes malicious SQL commands. The server_ip parameter will be processed without sanitization, allowing the injected SQL to be executed against the application's database.

Remediation

Users can update to Roxy-WI version 8.2.6.4 or later, which includes the necessary fixes for this vulnerability.