FS#339 : High Severity: SQL Injection via 'redirect

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by cyb2e - 28.05.2026
Last edited by cbay - 01.06.2026

FS#339 - High Severity: SQL Injection via 'redirect_from' parameter on /language/en/

Dear Alwaysdata Security Team,

During a security assessment of your platform, I identified a High-Severity SQL Injection vulnerability affecting the 'redirect_from' parameter on the path `/language/en/`.

### 1. Description of the Vulnerability
The application fails to properly sanitize, filter, or parameterize user-supplied input passed through the 'redirect_from' parameter before incorporating it into a backend SQL query. This allows an attacker to manipulate the structure of the query. Based on the behavior of the application and the generated database errors, the backend database engine is identified as PostgreSQL.

### 2. Proof of Concept (PoC) / Steps to Reproduce
1. Send an HTTP GET request to the following endpoint:

 https://www.alwaysdata.com/language/en/

2. Inject a payload into the 'redirect_from' parameter designed to break the SQL syntax logic, such as appending an unbalanced quote or an alternative logical condition (e.g., standard SQL injection fuzzing vectors).
3. Observe the response from the server: The backend application fails to handle the syntax exception gracefully and returns a descriptive database error message in the response context, confirming that the input is being evaluated directly by the database interpreter.

### 3. Impact
Successful exploitation of SQL Injection could allow an unauthenticated attacker to:
* Bypass authentication mechanisms.
* Access, read, or exfiltrate sensitive data from the database tables.
* Modify or delete database records (Data tampering).
* In certain configurations, perform administrative operations or execute OS commands depending on the database user privileges.

### 4. Remediation Recommendation
* Use Prepared Statements (Parameterized Queries): Ensure that all user-supplied inputs are bound as parameters rather than being concatenated directly into SQL command strings.
* Input Validation: Implement strict whitelisting for the 'redirect_from' parameter to ensure it only accepts expected string patterns or paths.
* Disable Verbose Errors: Configure the production environment to suppress detailed database error messages and stack traces to prevent information disclosure.

Best regards,
Mohammed Aziz

Screenshot 2026-05-28 235745.... (155.6 KiB)

Screenshot 2026-05-28 235846.... (93.9 KiB)

Closed by cbay
01.06.2026 10:11
Reason for closing: Invalid

Comments (1)
Related Tasks (0/0)

cbay commented on 29.05.2026 07:18

Hello,

Observe the response from the server: The backend application fails to handle the syntax exception gracefully and returns a descriptive database error message in the response context

Can you give me that database error message?

Kind regards,
Cyril

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task