DEF-050 — Verification Requests: Search triggers SQL error that exposes full database schema in browser alert
DEF-050 — Verification Requests: Search triggers SQL error that exposes full database schema in browser alert
Summary
Typing in the Search box on the Verification Requests page (/admin/verify-badge-requests) triggers a server-side DataTables query that fails with an SQL error. The error message is returned to the browser and displayed in a native JavaScript alert dialog — exposing the full SQL query, database host, port, database name, table names, and column names to any admin user. The search itself fails completely (returns all entries regardless of query).
Environment
- URL:
https://project6.dxtserver.com/drivelink_new/public/admin/verify-badge-requests - Module: Admin Panel — Verification Requests → Search
- Date Reported: 2026-06-17
- Browser: Chromium (Playwright)
- Testing Phase: Admin Panel — Verification Requests (test case VR-07)
Alert Dialog Content (Full Text)
DataTables warning: table id=responseTable - Exception Message:
SQLSTATE[42703]: Undefined column: 7 ERROR: column verify_badge_requests.DT_RowIndex does not exist
LINE 1: ...nd "users"."deleted_at" is null)) and (LOWER(CAST("verify_ba...
^
(Connection: pgsql, Host: 127.0.0.1, Port: 5432, Database: project6,
SQL: select count(*) as aggregate from (
select * from "verify_badge_requests"
where ("first_name"::text ILIKE %Tommy%
or "email"::text ILIKE %Tommy%
or exists (select * from "users"
where "verify_badge_requests"."user_id" = "users"."id"
and "name"::text ILIKE %Tommy%
and "users"."deleted_at" is null))
and (LOWER(CAST("verify_badge_requests"."DT_RowIndex" as TEXT)) LIKE %tommy%
or LOWER(CAST("verify_badge_requests"."user" as TEXT)) LIKE %tommy%
or LOWER(CAST("verify_badge_requests"."first_name" as TEXT)) LIKE %tommy%
or LOWER(CAST("verify_badge_requests"."email" as TEXT)) LIKE %tommy%)
order by "id" desc) count_row_table)Information Leaked
| Type | Value |
|---|---|
| Database engine | PostgreSQL |
| DB Host | 127.0.0.1 |
| DB Port | 5432 |
| Database name | project6 |
| Table name | verify_badge_requests |
| Column names | first_name, email, user_id, DT_RowIndex, user |
| Related table | users (with deleted_at column) |
| Full SQL query | Exposed verbatim |
Root Cause
The DataTables server-side handler includes DT_RowIndex as a searchable column, but this is a virtual column that does not exist in the verify_badge_requests database table. PostgreSQL throws SQLSTATE[42703]: Undefined column. The DataTables library catches the exception and passes the full error string back to the client via a JavaScript alert.
Steps to Reproduce
- Log in to the Admin Panel.
- Navigate to Verification Requests (
/admin/verify-badge-requests). - Type any text in the Search box (e.g. “Tommy”).
- Wait 1–2 seconds.
- Observe: a browser alert dialog appears with the full SQL query and database connection details.
Expected Behaviour
- Search should filter verification requests by name/email.
- Any SQL errors should be caught server-side, logged internally, and a generic error message returned to the client.
- No database schema, table names, column names, or connection details should ever be exposed to the browser.
Actual Behaviour
- The search fails entirely (all 5 rows remain regardless of query).
- A JavaScript alert dialog exposes the full SQL error including: database type, host, port, database name, table schema, and the failing SQL query.
Security Impact
This is a critical security vulnerability: - An attacker with admin panel access can enumerate the full database schema by triggering search errors. - Database host/port information could assist in lateral movement if the attacker gains further access. - The full SQL query exposes the ORM query structure, making SQL injection attempts more targeted.
Severity
Critical — Security vulnerability: full database internals exposed in browser; search completely broken.
Priority
Critical
Status
New
Reported By
QA / Testing Team