CVE-2012-5872
📋 TL;DR
CVE-2012-5872 is a blind SQL injection vulnerability in ARC (ARC2) RDF store software that allows attackers to execute arbitrary SQL commands through specially crafted SPARQL queries. This affects all systems running ARC versions through 2011-12-01 that expose SPARQL endpoints. The vulnerability enables complete database compromise and potential remote code execution.
💻 Affected Systems
- ARC (ARC2) RDF Store
📦 What is this software?
Arc2 by Arc2 Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, and potential remote code execution on the underlying server through SQL injection.
Likely Case
Unauthorized data access and extraction from the RDF store, potentially exposing sensitive semantic data and application information.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, though the core vulnerability remains.
🎯 Exploit Status
Exploitation requires access to SPARQL endpoints. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2011-12-01
Vendor Advisory: https://github.com/semsol/arc2/security/advisories
Restart Required: No
Instructions:
1. Upgrade ARC2 to version after 2011-12-01. 2. Replace vulnerable ARC2_StoreSelectQueryHandler.php file. 3. Verify the fix by testing SPARQL queries with SQL injection attempts.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to filter SQL injection patterns in SPARQL WHERE clauses
# Add input validation in SPARQL endpoint handlers
# Filter comments and suspicious patterns in queries
SPARQL Endpoint Restriction
allRestrict access to SPARQL endpoints using firewall rules or authentication
# Example Apache .htaccess: Require valid-user
# Example nginx: allow 192.168.1.0/24; deny all;
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns in SPARQL queries
- Disable or restrict access to SPARQL endpoints entirely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Test SPARQL endpoint with crafted queries containing SQL injection patterns in WHERE clause commentsCheck Version:
Check ARC2 version in source files or configuration: grep -r 'ARC2_VERSION' /path/to/arc2/Verify Fix Applied:
Attempt the same SQL injection tests after patching; successful queries should return errors or be blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SPARQL queries with SQL-like syntax
- Multiple failed query attempts with injection patterns
- Database error logs showing SQL syntax errors
Network Indicators:
- Unusual traffic to SPARQL endpoints
- Requests containing SQL keywords in SPARQL queries
SIEM Query:
source="web_logs" AND (uri="*sparql*" OR uri="*query*") AND (query="*--*" OR query="*/*" OR query="*UNION*" OR query="*SELECT*" OR query="*FROM*")