SQLBot Cross-Workspace IDOR and Authorization Bypass Vulnerability

A Cross-Workspace Insecure Direct Object Reference (IDOR) and Authorization Bypass vulnerability has been identified in SQLBot versions prior to 1.8.0. This vulnerability exists in the '/api/v1/datasource/exportDsSchema' and '/api/v1/datasource/uploadDsSchema' endpoints, allowing an attacker to access and modify database schemas and data sources belonging to other tenants or workspaces. The issue arises because the affected API endpoints lack proper authorization checks, enabling unauthorized access to sensitive data and cross-workspace data tampering.

Impact

Exploitation of this vulnerability allows authenticated users to access and manipulate data sources and database schemas of other tenants. This could lead to unauthorized data access, such as exporting confidential database schemas from other organizations, and cross-workspace data tampering, where an attacker could modify database connection details or metadata for databases belonging to different organizations.

Reproduction

To reproduce this vulnerability, log in as an authenticated user with a valid token. The vulnerability can be exploited by sending a request to the '/api/v1/datasource/exportDsSchema' endpoint, targeting a Data Source ID that belongs to a different workspace. The server will process the request without validating workspace ownership, allowing the attacker to download the database schema from the other workspace. This can be automated with a script that logs in and exploits the IDOR vulnerability.

Remediation

Users are advised to upgrade SQLBot to version 1.8.0 or later, where this vulnerability has been fixed.