Tipray Data Leakage Prevention System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Tipray Data Leakage Prevention System version 1.0. The issue arises in the 'findUserPage' function within the 'findUserPage.do' file, where user-controllable input in the 'sort' parameter is not properly sanitized, allowing for malicious SQL injection. This vulnerability can be exploited remotely, and an authentication bypass issue further facilitates access to the vulnerable endpoint.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could lead to unauthorized data access, data manipulation, or deletion. The vulnerability has been confirmed to exist and is publicly exploitable.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'findUserPage.do' endpoint with a crafted 'sort' parameter that includes SQL injection payloads. The injection can be verified by using time-based SQL injection techniques, such as adding a 'SLEEP' function in the 'sort' parameter, which will delay the response and confirm the successful exploitation of the vulnerability.

Remediation

To address this vulnerability, it is recommended to replace the insecure '${}' syntax with the safe '#{}' syntax in MyBatis mappers, implement strict validation for user-controlled parameters, fix the authentication bypass vulnerability, and enable SQL injection detection mechanisms.