Fujian Kelixun Command and Dispatch Management Platform SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Fujian Kelixun's Command and Dispatch Management Platform version 1.0. The issue resides in the file '/app/xml_cdr/xml_cdr_details.php', where insufficient input validation of the 'uuid' parameter allows remote attackers to inject malicious SQL commands. This vulnerability could lead to unauthorized access to the operating system, exploitation of the database, and disruption of services.

Impact

Exploitation of this vulnerability allows attackers to inject SQL commands that are executed by the database. This could lead to unauthorized data access, data manipulation, and in some cases, executing commands on the server's operating system.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/app/xml_cdr/xml_cdr_details.php' with a crafted 'uuid' parameter that includes malicious SQL code. The injection can be verified by observing a delay in the response, indicating that the injected SQL command was executed. This vulnerability can be exploited without authentication.

Remediation

It is recommended to implement input validation and use prepared statements to prevent SQL injection. Regular security audits can also help identify and fix potential vulnerabilities.