MyClub SQL Injection Vulnerability in Articles Endpoint

A SQL injection vulnerability exists in MyClub version 0.5, specifically within the '/articles' endpoint. The vulnerability arises from inadequate input sanitization of several query parameters, including Content, GroupName, PersonName, lastUpdate, pool, and title. This flaw allows unauthenticated remote attackers to inject arbitrary SQL commands via a crafted GET request, potentially leading to unauthorized data access or manipulation of the database.

Impact

Exploitation of this vulnerability could result in complete access to the application's database, allowing attackers to read, modify, or delete any data. Additionally, it could enable privilege escalation by granting administrative rights to the attacker.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/articles' endpoint with a single quote in the 'PersonName' parameter. This will trigger a SQL error that reveals the underlying SQL query structure, confirming the presence of SQL injection. Once confirmed, the vulnerability can be exploited by injecting SQL commands to manipulate the database, such as extracting sensitive information or modifying database records.

Remediation

Users are advised to update to the patched version of MyClub, which is available on the project's GitHub repository. After updating, it's recommended to check the application logs for any signs of exploitation, such as SQL injection patterns or unusual error messages.