CVE CyberSecurity Database News

CVE-2023-27649 - SQL Injection in Trusted Tools Free Music – What You Need to Know

Poster -

In early 2023, a critical vulnerability (CVE-2023-27649) was found in the Trusted Tools Free Music app. This flaw affects versions 2.1..47, 2...46, 1.9.1.45, and 1.8.2.43. The bug allows anyone on the internet to attack your music app’s back-end with a famous—but dangerous—hack called SQL Injection. In this post, we’ll explain how this works, what’s at risk, and how hackers could use it in the real world. We’ll even show you a code sample of how the bug happens and what attackers could do with it.

What Is SQL Injection?

SQL Injection is a type of web security weakness that lets attackers mess with your app’s database. If an app doesn’t properly check or clean up input from users, attackers can inject (add) their own SQL commands into regular queries and force the system to do things it shouldn’t.

Where’s the Problem in Free Music?

The affected Trusted Tools Free Music versions let you search for songs. Every time you search, your term gets written to a search history database table. But here, developers forgot to safely handle user input before adding it to SQL queries. This means a smart attacker could trick the system into running database commands of their choosing.

Here’s the entry from NVD (National Vulnerability Database):

> “Trusted Tools Free Music v.2.1..47, v.2...46, v.1.9.1.45, v.1.8.2.43 allows a remote attacker to cause a denial of service via the search history table.”

How Does the Attack Work?

Imagine a normal query in the app that records your search into the database. It might look like this (pseudo-code):

# Vulnerable code snippet

search_term = request.GET['search']
sql = "INSERT INTO search_history (query) VALUES ('%s')" % search_term
db.execute(sql)

What happens if someone enters something nasty, like

test'); DROP TABLE search_history; --

With this “search term,” the final query the app sends to the database would be

INSERT INTO search_history (query) VALUES ('test'); DROP TABLE search_history; --')

See that DROP TABLE search_history;? That *deletes* the entire search history table! The double-dash -- means “ignore the rest of this line.” Now, the attacker has just destroyed your data—an easy Denial of Service (DoS) attack.

Hit “Search.”

Right away, the app would become unable to record or retrieve search history. That part of the app is now broken—until an admin restores the database table.

Protecting Against SQL Injection

The main fix is called “parameterized queries” or “prepared statements.” Rewrite your code like this:

# SAFE code

search_term = request.GET['search']
sql = "INSERT INTO search_history (query) VALUES (%s)"
db.execute(sql, [search_term])

Here, the database treats the user’s input as a value, not as SQL code.

More Info & References

- NVD Entry for CVE-2023-27649
- OWASP SQL Injection Cheat Sheet

Bottom Line

If you run Trusted Tools Free Music, it’s time to upgrade. If you build any apps that talk to a database, *never* trust user input and always use prepared statements. This vulnerability is a reminder that even simple apps can have big risks if we’re not careful with data.

Patch your app and remake your search bar safely!

---

Timeline

Published on: 04/14/2023 12:15:00 UTC
Last modified on: 04/21/2023 04:14:00 UTC