ZIRA Group WBRM SQL Injection Vulnerability

A SQL injection vulnerability has been identified in ZIRA Group WBRM version 7.0, specifically within the 'referenceLookupsByTableNameAndColumnName' function. This vulnerability allows authenticated, low-privileged attackers to execute arbitrary SQL queries on the application's backend database. The issue arises because the 'tableName' and 'columnName' parameters are not properly validated or parameterized, enabling injection of malicious SQL that could be exploited to access, modify, or delete database records. In some cases, this could lead to privilege escalation and administrative access.

Impact

Exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access to sensitive data, modification or deletion of database records, and in some cases, escalation of privileges to gain administrative access.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/pcback/referenceLookupByTableAndColumnName' endpoint with injected SQL in the 'columnName' parameter. The injection can be verified by observing SQL error messages in the response, indicating that the injected SQL was executed.

Remediation

To address this vulnerability, it is recommended to implement prepared statements or parameterized queries, validate and sanitize all user input, and apply the principle of least privilege to database accounts.