Dahua Smart Cloud Gateway Registration Platform SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Dahua Smart Cloud Gateway Registration Management Platform. This vulnerability arises in the '/index.php/User/doLogin' endpoint, where the application does not adequately sanitize user input in the username parameter. As a result, unauthenticated attackers can inject arbitrary SQL statements, potentially leading to the disclosure of sensitive database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to extract, modify, or delete data. This could result in unauthorized access to sensitive information or disruption of data integrity.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/index.php/User/doLogin' endpoint with a crafted SQL injection payload in the username parameter. The injected SQL code can be used to exploit the vulnerability, such as by extracting database information or executing arbitrary commands, depending on the database and application configuration.

Remediation

Users are advised to upgrade to the latest version of the Dahua Smart Cloud Gateway Registration Management Platform, which addresses this vulnerability.