RSI Queue Management System Unauthenticated Blind SQL Injection Vulnerability

A blind SQL injection vulnerability allowing unauthenticated attackers to inject time-delayed SQL payloads has been identified in RSI Queue Management System version 3.0. The vulnerability resides within the TaskID parameter of the GET request handler. Exploitation of this issue enables attackers to induce server response delays, facilitating time-based inference and iterative extraction of sensitive database information without the need for authentication.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive database contents through iterative extraction methods, taking advantage of the time-based SQL injection technique.

Reproduction

To reproduce this vulnerability, send a GET request with a malicious payload injected into the TaskID parameter. The injected SQL payload should be crafted to include time delays, such as using SQL commands that pause execution. The server's response time will indicate whether the injected payload was successful, allowing for boolean-based inference. This process can be repeated to extract database information iteratively.

Remediation

Users are advised to update to the patched version of RSI Queue Management System, which is available as of May 2, 2025.