Flight PHP SQL Injection Vulnerability in SimplePdo Database Operations

A SQL injection vulnerability has been identified in Flight PHP versions prior to 3.18.1. The issue arises in the SimplePdo database helper methods: insert(), update(), and delete(). These methods construct SQL queries by directly concatenating the table name and the keys from the data array, without proper validation or quoting of identifiers. This flaw allows attackers to inject arbitrary SQL by manipulating the array keys with malicious payloads. The vulnerability is particularly concerning when user-controlled data is passed to these methods, a common practice in Flight PHP applications.

Impact

Exploitation of this vulnerability allows for SQL injection, with potential impacts including unauthorized data manipulation, such as privilege escalation by creating administrative accounts or modifying user roles, and data exfiltration or destruction through crafted SQL commands.

Reproduction

To reproduce this vulnerability, use Flight PHP version prior to 3.18.1. Call the SimplePdo insert(), update(), or delete() methods with user-controlled data that includes maliciously crafted keys. The injected SQL will be executed without proper sanitization, allowing for arbitrary SQL execution. For example, injecting a key that includes SQL syntax can manipulate the database in unintended ways.

Remediation

Users are advised to update to Flight PHP version 3.18.1 or later, where this vulnerability has been fixed. The update includes a new helper function that validates table and column names before they are used in SQL queries, preventing injection attacks.