CVE-2023-34249: Unsanitized request to SQL database.

Impact

We have recently identified multiple instances of CWE-89 weaknesses within the code of PyBB. These vulnerabilities pose significant risks to the security and privacy of user data. Specifically, there is a potential impact on user tables, which may be exposed, thereby compromising the confidentiality of clear-text usernames and emails. Additionally, the weaknesses undermine the integrity of hashed and salted passwords, potentially allowing malicious actors to decrypt and exploit them.

Patches

This CWE vulnerability has been fixed as of commit dcaeccd, and all users are advised to update to this patch as soon as possible, or follow the below instructions in the section titled Workarounds.

Workarounds

Although a user may be able to update the software manually to avoid this problem by sanitising user queries to BulletinDatabaseModule.py, it is highly recommended to either update the entire software, keeping the database files, or replacing just BulletinDatabaseModule.py.

To manually fix these errors, a user must have a competent knowledge of Python. The instructions to fix are as follows:

1. Locate all SQL queries in use in the BulletinDatabaseModule.py file.
2. Where a query appears as: c.execute(f"select * from posts where boardid = {boardid}"), replace it with c.execute("select * from posts where boardid = ? ", boardid)

References

Wikipedia: SQL injection.
OWASP: SQL Injection Prevention Cheat Sheet.
Common Weakness Enumeration: CWE-89.