WeiYe-Jing DataX-Web SQL Injection Vulnerability

A SQL injection vulnerability exists in WeiYe-Jing DataX-Web versions through 2.1.2. The issue arises in the incremental synchronization feature, where user-supplied table and column names are not properly validated before being used in SQL queries. This flaw allows authenticated users to execute arbitrary SQL commands, potentially leading to unauthorized data access or modification.

Impact

Exploitation allows authenticated users to execute arbitrary SQL queries on the database, extract or manipulate data, and possibly execute administrative database commands, depending on their database privileges.

Reproduction

To reproduce this vulnerability, authenticate as a user in DataX-Web and create a new incremental synchronization task via the API. Set the 'incrementType' to 1 for ID-based synchronization, and inject malicious SQL into the 'readerTable' or 'primaryKey' fields. Once the task is created, execute it to run the injected SQL against the database.

Remediation

It is recommended to validate and sanitize user inputs for table and column names to prevent SQL injection. This can be done by implementing strict validation rules and using parameterized queries where possible. Additionally, applying the principle of least privilege to database access can help mitigate potential damage from such vulnerabilities.