CVE-2023-45674 - Critical SQL Injection in Farmbot-Web-App—How It Works, Risks, and Exploit Details

FarmBot is a cool project that lets people automate farming tasks, all through a web-based interface called the Farmbot-Web-App. But like many open-source apps, FarmBot had a serious problem: an SQL injection vulnerability that could let an attacker see private data from its database—even information about users.

That vulnerability is tracked as CVE-2023-45674, and here we’ll break it down in plain English: how it works, why it’s dangerous, how you can exploit it, and how to stay safe.

What is CVE-2023-45674?

CVE-2023-45674 is a security bug in the Farmbot-Web-App that lets an attacker with a valid account run custom SQL queries against the database. This means an attacker could:

Potentially change or destroy data (in some exploits)

The problem happens because the app isn't filtering user input correctly before passing it into the SQL database, letting attackers "inject" their own commands.

Anyone running earlier versions should upgrade immediately.

No workarounds or patches exist for earlier versions—you must update.

References

- NVD Listing - CVE-2023-45674
- Official GitHub Security Advisory
- FarmBot Web App Releases

How the Vulnerability Works

Let’s say there’s a search or filter function in the Farmbot-Web-App that lets you type in a query. Internally, the web app might be building an SQL statement like this:

# EXAMPLE (Ruby / Rails Controller)
# WARNING: Vulnerable pattern!
query = "SELECT * FROM users WHERE email = '#{params[:email]}'"
@user = ActiveRecord::Base.connection.execute(query)

If you enter a normal email like alice@example.com, no problem.

The query becomes

SELECT * FROM users WHERE email = '' OR 1=1 -- '

Proof of Concept (PoC) Exploit

Let’s pretend you can log in to your own account and use a filter-by-email box. Here’s a simplified exploit using curl to send a malicious parameter:

curl -b cookies.txt \
     -X GET "https://farmbot.example.com/api/users?email=%27%20OR%201%3D1--";

This means: email=' OR 1=1--

If the server returns all users or interesting information, it’s vulnerable.

A Better Exploit: Dumping the User Table

Let’s take it further. Imagine there’s a user search API you can POST to, or maybe in GraphQL or JSON:

{
    "email": "' UNION SELECT id, email, encrypted_password, 'xxx' FROM users--"
}

If you can inject unescaped SQL here, you can extract any fields. You can adjust the exploit to extract:

anything else in the DB

Even though this simple example doesn’t show the exact endpoint, the principle is the same: inject SQL where user input is directly put into DB queries.

Risks & Impact

- Information Disclosure: Attackers can learn usernames, hashed passwords, device secrets, even automation rules.

Account Takeover: If attackers can crack password hashes, they could hijack any account.

- Automation Disruption: Knowledge of device control logic, farm schedules, or hardware tokens could let attackers interfere with the farm itself.

How to Stay Safe

1. Upgrade Now
Update your Farmbot-Web-App to version 15.8.4 or later. This release fixes the unsafe code pattern.

2. Restrict Access
Only allow trusted users to log in. Prevent untrusted accounts from being created.

3. Watch the Logs
Attackers often poke around before launching serious exploits. Watch for suspicious logins or API requests.

4. Change Passwords
If you think your instance was exposed, have all users change their passwords ASAP.

5. Secure Other Parts of Your Network
If an attacker can see data, they might find API tokens, config files, or device access keys.

Conclusion

CVE-2023-45674 is a classic but serious SQL injection bug in Farmbot-Web-App. It could let insiders or anyone with a low-privilege account extract sensitive farm or user data. There is no workaround. The only fix is to upgrade to 15.8.4 or later.

Staying safe just means patching promptly, using strong passwords, and watching for odd activity in your logs.

Timeline

Published on: 10/14/2023 00:15:10 UTC
Last modified on: 10/18/2023 20:55:55 UTC