Tillywork versions v0.1.3 and below are affected by a critical SQL Injection vulnerability. This flaw is specifically located within the app/common/helpers/query.builder.helper.ts file. An authenticated user can exploit this vulnerability to inject malicious SQL commands, enabling the execution of arbitrary queries against the server.
Basic Information
- Researcher: Kusol Watchara-Apanukorn (Head of research and community)
- Project link: https://github.com/tillywork/tillywork
- Hot fixed: https://github.com/tillywork/tillywork/pull/288
- Tested version: v0.1.3 – Collaboration
Proof of Concept
1. Insert single quote in value while using in operator. The server will respond 500 internal error.
2. We could see the SQL syntax error in the server log.
Root cause: the server accept the direct value concatenation in IN and NIN clauses without parameterization
