Daptin SQL Injection Vulnerability in Fuzzy Search API Allowing Full Database Read Access

A SQL injection vulnerability has been identified in Daptin, a headless CMS that uses GraphQL and JSON-API. This issue affects versions through 0.11.4. The vulnerability arises in the 'processFuzzySearch' function, located in 'server/resource/resource_findallpaginated.go' at line 1484. Here, user-supplied column parameters are split by commas and directly interpolated into raw SQL queries without proper validation against the database schema. The vulnerability can be exploited by any authenticated user, including those who self-register without admin approval, allowing them to read the entire database. The issue has been patched in version 0.11.5.

Impact

Exploitation of this vulnerability allows for boolean-blind SQL injection, enabling an authenticated user to extract data from the entire database. This includes all tables listed in 'sqlite_master' and credential information such as email addresses and password hashes from the 'user_account' table. The extraction process is approximately 7 HTTP requests per character, making it feasible to retrieve complete database contents.

Reproduction

To reproduce this vulnerability, first sign up for an account on a Daptin instance with self-signup enabled. After logging in, send a GET request to the '/api/<entity>' endpoint with the 'operator' parameter set to 'fuzzy' (or 'fuzzy_any', 'fuzzy_all') and include a crafted 'column' parameter that exploits the SQL injection flaw. The injection can be verified by extracting data from the database, such as through the 'sqlite_master' table or the 'user_account' table, which contains sensitive credential information.

Remediation

Users are advised to upgrade to Daptin version 0.11.5 or later, where this vulnerability has been fixed.