Seeyon Zhiyuan Interconnect FE Collaborative Office Platform SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Seeyon Zhiyuan Interconnect FE Collaborative Office Platform version 5.5.2. The issue arises from improper handling of the 'name' parameter in the '/sysform/042/check.js%70' endpoint, allowing remote attackers to inject malicious SQL payloads. This vulnerability has been publicly disclosed and could be exploited to access sensitive database information.

Impact

Exploitation of this vulnerability allows for blind time-based SQL injection, where an attacker can manipulate the 'name' parameter to create a delay in the application's response. This delay can be used to infer information about the database, such as its structure and contents.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/sysform/042/check.js%70' endpoint with a crafted 'name' parameter that includes a SQL injection payload. The injection can be verified by observing a delay in the response, which indicates that the SQL injection was successful and that the injected payload was executed.

Remediation

Users are advised to contact Seeyon for official security patches or mitigation recommendations. In the meantime, input validation and sanitization should be implemented for the 'name' parameter, and parameterized queries should be used to prevent SQL injection.