Protect Your SQLpage Database: Update to Fix a Severe Vulnerability

CVECVE-2023-42454
CVSScvssV3_1: 10
SourceCVE-2023-42454

SQLpage is a popular open source SQL-based web application builder. Unfortunately, versions prior to 0.11.1 of SQLpage are vulnerable to a serious security issue that allows attackers to access the database directly.

The vulnerability stems from the way older versions of SQLpage store the database connection details. If the connection string is configured in the sqlpage.json file instead of an environment variable, and the web root folder is set to the current directory, an attacker can simply view the configuration file to retrieve the database login credentials.

With the credentials in hand, the attacker can then connect directly to the database, bypassing all of SQLpage’s authorization checks. Depending on the database permissions, this could allow the attacker to view, modify or delete data.

The good news is SQLpage has released version 0.11.1 which fixes this issue. If you have an older version installed, be sure to update immediately. As a temporary workaround, you can also configure the database connection using an environment variable or change the web root folder.

Most importantly, never expose your database publicly on the internet. Keep it protected behind a firewall on your internal network. Taking these basic steps will help secure your SQLpage installation and protect sensitive data from exploitation.

References