XCKK Low-Code Development Platform SQL Injection Vulnerability

A SQL injection vulnerability has been identified in version 9.6 of the XCKK low-code development platform. The issue arises in the UserController.java file, where the 'orderBy' parameter in the user/list endpoint is not properly sanitized. This lack of validation allows attackers to inject malicious SQL code, potentially leading to unauthorized database access, data manipulation, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries. This could result in unauthorized data access, data modification or deletion, and exposure of sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/oa/user/list' endpoint. The request must include the 'orderBy' parameter with a crafted SQL injection payload, such as a SQL injection bypassing the application's input validation. The injection can be verified by observing the application's response or by using a tool like sqlmap to automate the exploitation process.

Remediation

To address this vulnerability, it is recommended to implement input validation and sanitization for the 'orderBy' parameter, ensuring that only safe, expected values are accepted. Additionally, using prepared statements for database queries can help prevent SQL injection by separating SQL code from user input.