Saltcorn SQL Injection Vulnerability in Mobile-Sync Routes Allowing Database Exfiltration

A SQL injection vulnerability has been identified in Saltcorn versions prior to 1.4.6, 1.5.6, and 1.6.0-beta.5. This vulnerability exists in the mobile-sync routes, specifically `POST /sync/load_changes` and `POST /sync/deletes`. It allows authenticated low-privilege users with read access to at least one table to inject arbitrary SQL through sync parameters. The exploitation of this vulnerability could lead to full database exfiltration, including admin password hashes and configuration secrets, and may also allow for database modification or destruction, depending on the backend.

Impact

Exploitation of this vulnerability allows authenticated low-privilege users to perform SQL injection, leading to unauthorized database access and manipulation. This includes exfiltrating sensitive information such as password hashes and configuration secrets, and potentially modifying or destroying database contents, depending on the backend.

Reproduction

To reproduce this vulnerability, authenticate as a low-privilege user with read access to at least one table. Then, send a crafted request to the `/sync/load_changes` or `/sync/deletes` endpoint, including a malicious SQL expression in the sync metadata that will be interpolated into the SQL query. Successful exploitation will result in the injected SQL being executed and the response containing the exfiltrated database information.

Remediation

Users can upgrade to Saltcorn versions 1.4.6, 1.5.6, or 1.6.0-beta.5 to address this vulnerability.