StratonWebDesigners HireFlow SQL Injection Vulnerability

A SQL injection vulnerability has been identified in HireFlow version 1.2, specifically within the '/login' and '/search' endpoints. The issue arises because user input is directly concatenated into SQL queries without proper parameterization. This flaw allows an unauthenticated attacker to bypass authentication by sending a crafted username, such as 'admin' followed by a comment delimiter. Additionally, the vulnerability can be exploited to extract the entire database, including user credentials, through UNION-based injection at the '/search' endpoint.

Impact

Exploitation of this vulnerability allows for full authentication bypass, granting access to any user account, including admin, without a password. It also enables complete exfiltration of the database, exposing all candidate records, user credentials, and interview data.

Reproduction

To reproduce this vulnerability, send a POST request to the '/login' endpoint with a crafted username that includes a SQL injection payload, such as 'admin' followed by a comment delimiter. This will bypass the password authentication. For the '/search' endpoint, send a UNION-based injection payload in the 'q' parameter to extract database information, such as usernames and password hashes.

Remediation

The vulnerability has been patched in version 1.3. Users are advised to update to this version. For future development, replace all raw string concatenation in SQL queries with parameterized queries or prepared statements. Alternatively, use an Object-Relational Mapping (ORM) tool like SQLAlchemy, which automatically handles query parameterization.