Odine Solutions GateKeeper SQL Injection Vulnerability in trafficCycle API Endpoint

A SQL injection vulnerability has been identified in Odine Solutions GateKeeper version 1.0, specifically within the trafficCycle API endpoint. This vulnerability allows remote attackers to inject malicious SQL queries that could manipulate PostgreSQL database operations and potentially expose sensitive information. The issue arises from improper handling of input in the trafficCycle parameter, enabling attackers to craft payloads that interfere with database query execution.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /rass/api/v1/trafficCycle/ endpoint with a crafted payload that includes SQL injection commands. The injection can be verified by using payloads that exploit error-based SQL injection techniques, such as injecting SQL that causes a database error response, or by using time-based blind injection techniques that, for example, make the database wait for a few seconds before responding, indicating that the injection was successful.