uverif SQL Injection Vulnerability in the addbatch Function
Vulnerability
A SQL injection vulnerability has been identified in uverif versions through 3.2. The issue arises in the addbatch function within the file /admin/kami_list. Manipulation of the note argument allows for SQL injection, which can be exploited remotely. The vulnerability has been publicly disclosed, and an exploit is available.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a POST request to the /admin/kami_list endpoint with the act parameter set to 'add'. Include a crafted note parameter that exploits the SQL injection vulnerability, such as one that uses XPath injection techniques to extract data. The response will indicate whether the injection was successful by returning an error message that includes the injected data, demonstrating that the SQL injection was exploited.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.