CherishSin klattr sql injection

Vulnerability

A critical SQL injection vulnerability exists in the CherishSin klattr application. The code directly interpolates user-supplied values into SQL queries without sanitization or parameterization. Affected queries include those in the auth, evaluate_cookie, evaluate_password, evaluate_signup, and klattr_retrieve_queries functions, as shown in the commit diff [1]. All versions prior to commit f8e4ecfbb83aef577011b0b4aebe96fb6ec557f1 are vulnerable.

Exploitation

An attacker can exploit this vulnerability by sending crafted input to any of the parameters used in the SQL queries: $UID, $e_key, $e_uname, $e_email, $profileID, $sub_regexp, or $parentId. No authentication is required for some of these vectors (e.g., session cookie handling). The attacker can inject arbitrary SQL commands by manipulating these parameters, typically via HTTP request parameters or cookies.

Impact

Successful exploitation allows an attacker to read, modify, or delete arbitrary data in the database. This could lead to disclosure of sensitive user information (handles, email addresses, password hashes), privilege escalation, or complete compromise of the application's data. The vulnerability is rated critical due to the potential for full database access.

Mitigation

The fix is available in commit f8e4ecfbb83aef577011b0b4aebe96fb6ec557f1 [1]. Users should apply this patch immediately. No other workarounds are documented. The repository may be archived or unmaintained; if so, upgrading to a patched fork or rewriting the affected code is recommended.