Remote Code Execution Vulnerability in sqlite-web
Closed this issue · 2 comments
Hi, I found a remote code execution vulnerability in your software (if you load at least one extension).
I created a challenge for a CTF for it (which is now over). Here's the writeup:
https://hxp.io/blog/102/hxp-CTF-2022-sqlite_web/
Basically a solution would be to disable extension_loading in SQL after loading the extension from command line and not just keeping it open.
If you have questions, feel free to contact me.
Best Regards,
sandr0
This is such a stretch that I hesitate to even entertain it by writing this response, but here we are.
Extensions are not enabled by default:
.
The risk of running this on the public internet without authentication should hopefully be obvious. The fact that there is an RCE if and only if:
- You specify one or more loadable extensions,
- You do not use any kind of authentication mechanism
- You expose it on the public internet
- You do not turn on read-only (which might be sensible if running on public internet)
Then yes, you are asking for problems.
However,
- Sqlite-web does not run on the public internet by default - it listens on localhost:8080
- If you wish to run it on the internet, then you can set a password or turn it read-only, in which case this exploit can't happen.
True, makes sense. Just wanted to let you know :)