XCKK Low-Code Development Platform SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the XCKK low-code development platform, specifically in version 9.6. The issue arises in the OaNoticeController.java file, where the 'cond' parameter in the notice/list endpoint is not properly sanitized. This lack of input validation allows attackers to inject malicious SQL queries, potentially leading to unauthorized database access, data manipulation, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries. This could result in unauthorized data access, data modification or deletion, and extraction of sensitive information from the database.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to the '/oa/notice/list' endpoint. The request must include the 'cond' parameter with a crafted SQL injection payload, such as a UNION SELECT statement that exploits the application's SQL query handling. The injection takes advantage of the application's failure to properly validate and sanitize user input, allowing malicious SQL code to be executed on the database.

Remediation

To address this vulnerability, it is recommended to implement prepared statements and parameter binding to separate SQL code from user input, conduct thorough input validation and filtering to ensure data conforms to expected formats, and minimize database user permissions by using accounts with only the necessary privileges.