Cameasy Liketea SQL Injection Vulnerability in Store Listing API

A critical SQL injection vulnerability has been identified in Cameasy Liketea version 1.0.0. The issue arises in the StoreController's 'list' function within the API endpoint '/api/v1/front/store/list'. This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands by manipulating the latitude and longitude parameters. The user-supplied values are directly appended to a raw SQL query without proper sanitization or parameterization, creating an opportunity for SQL injection attacks. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the server if the database is connected to the application server in a vulnerable way.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/front/store/list' endpoint with the 'lat' and 'lng' parameters. The application will process these coordinates without validation, allowing for the injection of malicious SQL payloads. This can be automated with tools like sqlmap, which can exploit the injection point and extract data from the database.

Remediation

It is recommended to validate and sanitize input coordinates before processing them. Implementing proper input validation to ensure latitude and longitude values are within acceptable ranges can effectively mitigate this vulnerability. Additionally, using parameterized queries or query builders that abstract away raw SQL concatenation can further reduce the risk of SQL injection.