CVE-2023-33665
📋 TL;DR
CVE-2023-33665 is a SQL injection vulnerability in ai-dev aitable's /includes/ajax.php component that allows attackers to execute arbitrary SQL commands. This affects all users running aitable versions before v0.2.2, potentially leading to data theft, modification, or deletion.
💻 Affected Systems
- ai-dev aitable
📦 What is this software?
Ai Table by Ai Dev
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized data access and manipulation, potentially leading to sensitive information disclosure and data integrity issues.
If Mitigated
Limited impact with proper input validation and parameterized queries in place, though the vulnerability would still exist.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited and tools exist to automate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.2.2
Vendor Advisory: https://security.friendsofpresta.org/modules/2023/08/01/aitable.html
Restart Required: No
Instructions:
1. Download aitable v0.2.2 or later from the official source. 2. Backup your current installation. 3. Replace the vulnerable files with the patched version. 4. Verify the /includes/ajax.php file has been updated.
🔧 Temporary Workarounds
Disable ajax.php endpoint
allTemporarily block access to the vulnerable endpoint
# For Apache: add to .htaccess
<Files "ajax.php">
Order allow,deny
Deny from all
</Files>
# For Nginx: add to server block
location ~ /includes/ajax.php {
deny all;
}
Web Application Firewall rule
allAdd SQL injection detection rule for ajax.php
# Example ModSecurity rule
SecRule REQUEST_URI "@contains /includes/ajax.php" \
"id:1001,phase:2,deny,status:403,msg:'SQLi attempt on aitable ajax.php'"
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all database interactions
- Deploy a web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if aitable version is below v0.2.2 by examining the software version in the admin panel or checking the source code.Check Version:
Check the software version in the admin interface or examine the source code for version markers.Verify Fix Applied:
Verify the /includes/ajax.php file has been updated to v0.2.2 or later and test with SQL injection payloads to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts via ajax.php
- Suspicious parameter values in web server logs for ajax.php
Network Indicators:
- Unusual traffic patterns to /includes/ajax.php
- SQL keywords in HTTP requests to ajax.php endpoint
SIEM Query:
source="web_server" AND uri="/includes/ajax.php" AND (query="UNION" OR query="SELECT" OR query="INSERT" OR query="DELETE")