TaxonWorks is an essential web-based workbench tool for taxonomists and biodiversity scientists. It plays a crucial role in helping scientists catalog and manage taxonomic data. However, it has recently come to light that there is a critical vulnerability in TaxonWorks versions prior to .34.. This vulnerability, officially documented as CVE-2023-43640, exposes TaxonWorks users to a SQL injection attack that may lead to information disclosure.

In this long-read post, we will explore the details of the vulnerability, its potential impacts, and the crucial steps you must take to secure your TaxonWorks instance.

The Vulnerability: SQL Injection

A SQL injection vulnerability was found in TaxonWorks, allowing authenticated attackers to extract arbitrary data from the TaxonWorks database (including the users table). This issue may lead to information disclosure.

This vulnerability affects TaxonWorks versions prior to .34..

Exploit Details

An example of exploiting this SQL injection vulnerability involves injecting malicious SQL code into a query. When this malicious code executes, it may allow an attacker to extract data from the database – in this case, potentially exposing user information.

Here's a simplified code snippet of the vulnerable TaxonWorks functionality

def get_taxon_info(taxon_id):
    query = f"SELECT * FROM taxon_data WHERE id = {taxon_id}"
    results = execute_query(query)
    return results

In this code snippet, the taxon_id parameter is directly inserted into the SQL query without proper sanitization or validation. This improper handling allows an attacker to insert malicious SQL code and potentially extract information from the TaxonWorks database.

A potential SQL injection payload that could be exploited might look like this

taxon_id = "1 UNION ALL SELECT * FROM users; --"

By inserting this payload, the attacker could gain access to the users table data, leading to information disclosure.

Mitigation

The fix for this vulnerability has been addressed in TaxonWorks version .34.. Upgrading to the most recent version of TaxonWorks should protect you from this SQL injection vulnerability.

It is essential to always keep your software up to date with the most recent security patches and releases. The original reference for this vulnerability can be found here.

If you cannot upgrade your TaxonWorks instance immediately, you should consider implementing additional security controls in the meantime. One such measure is using prepared statements for SQL query execution, which can help prevent SQL injection attacks.

For example, you could modify the vulnerable get_taxon_info() function like so

def get_taxon_info(taxon_id):
    query = "SELECT * FROM taxon_data WHERE id = ?"
    results = execute_prepared_query(query, (taxon_id,))
    return results

This change replaces the string formatting with parameter placeholders for the SQL query, using a question mark (?). In this case, the taxon_id is passed as a tuple, ensuring that user input is properly escaped and prevents the risk of SQL injection.

In closing, addressing the SQL injection vulnerability in TaxonWorks is crucial to protecting your taxonomic data and user information. Be sure to upgrade to version .34. or take additional security steps to protect your TaxonWorks instance.

Timeline

Published on: 09/22/2023 18:15:12 UTC
Last modified on: 09/25/2023 17:38:59 UTC