When parameterization fails: SQL injection in Nim using parameterized queries
10 days ago
- #Nim Programming
- #PostgreSQL Security
- #SQL Injection
- SQL injection vulnerability found in Nim's db_postgres module when using parameterized queries with PostgreSQL databases where standard_conforming_strings is disabled.
- The vulnerability arises because the module fails to properly escape special characters like backslashes when standard_conforming_strings is off, leading to potential SQL injection.
- Proof of concept demonstrates how an attacker can bypass authentication by injecting malicious input.
- Impact includes unauthorized data access, authentication bypass, and potential backend compromises.
- Mitigation involves ensuring standard_conforming_strings is enabled in PostgreSQL configurations.