SQLBot Text-to-SQL Interface Prompt Injection Vulnerability Leading to Remote Code Execution

A critical prompt injection vulnerability has been identified in SQLBot's Text-to-SQL chat interface, affecting versions through 1.7.0. The vulnerability arises because user-provided questions are directly added to the language model (LLM) prompt without any filtering or escaping. SQL extracted from the LLM response is then executed against the database without validation or sanitization. This allows an authenticated attacker to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this exploitation can lead to remote code execution via the 'COPY FROM PROGRAM' command.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, with the potential for remote code execution on the database server through crafted SQL commands that utilize PostgreSQL's 'COPY FROM PROGRAM' functionality.

Reproduction

To reproduce this vulnerability, log into SQLBot and navigate to the Text2SQL chat interface. Select a PostgreSQL data source and enter a crafted question that includes XML tags and instructions to manipulate the LLM's response. The LLM will generate SQL based on the injected prompts, which is then executed on the database.

Remediation

Users are advised to upgrade SQLBot to version 1.7.1, where this vulnerability has been fixed.