possible SQL injection vulnerability

[jlopp]

We recently noticed that the metrics on our fathom instance had shot up by several orders of magnitude despite our traffic remaining fairly steady. From looking at the fathom logs we see a lot of:

msg="processing 5000 pageviews"

Which should never happen given the low volume traffic of our site. While we haven't reproduced the cause, we believe someone is able to trigger this by sending malformed requests to fathom; we see errors being logged such as:

msg="Skipping pageview from referrer testtest<testtest>testtest\\'asdtesttest\\"asdtesttest\testtest'" because of malformed referrer URL"
msg="Skipping pageview from referrer jjjjjjj${123456}jjjjjjj<%=123567%>jjjjjjj{{123*678}} because of malformed referrer URL"
msg="Skipping pageview because of unrecognized site tracking ID testtest"
msg="Skipping pageview because of unrecognized site tracking ID jjjjjjj$"

We see a record in our "pageviews" table that looks like this: ('jjjjjjj${123456}jjjjjjj<%=123','https://keys.casa','/',0,0,0,1,'https://store.casa/pay-with-bitcoin-ethereum-litecoin-crypto/',0,'2020-04-27 23:12:11','AMBTH',0)

And suspect that SQL injection may be possible via the referer

[JokerQyou]

This is something interesting. I did not find the log processing ... pageviews in the code base, also the data record of yours does not match the pageviews table definition. Do you mind include the version of your fathom instance, as well as the corresponding column name of that record?

[LKaemmerling]

Just to have it written:

This is imho not a real SQL Injection possibility. It is more a "Trusted User Input" Issues where it was easy to inject a custom ID however, a SQL Injection wouldn't be possible with it.