apconw Aix-DB SQL Injection Vulnerability in Terminology Management Feature

A SQL injection vulnerability has been identified in apconw Aix-DB versions through 1.2.3. The issue arises in the agent/text2sql/rag/terminology_retriever.py file, where the 'Description' argument can be manipulated to inject malicious SQL. This vulnerability requires local access to exploit. Once exploited, it allows for the execution of arbitrary SQL commands, which can be leveraged to execute system commands on the database server, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for SQL injection, with the injected SQL being executed without any type checking. This could lead to arbitrary command execution on the database server, achieved by using PostgreSQL's 'COPY FROM PROGRAM' functionality.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Terminology Management' page. Add a new terminology entry with a name such as 'Database Version' and include a malicious payload in the 'Description' field designed to inject SQL. Once the terminology is saved, use the chat interface to query the database version. The application will process the request, retrieve the injected terminology, and execute the malicious SQL, resulting in the execution of arbitrary commands on the server.

Remediation

It is recommended to implement SQL type checking before execution to prevent unauthorized SQL commands from being executed. This can be done by validating the SQL against a set of forbidden keywords and ensuring that only safe operations are allowed.