Open Source Social Network SQL Injection Vulnerability in Version 8.6

A blind, time-based SQL injection vulnerability has been identified in Open Source Social Network (OSSN) version 8.6. The issue resides in the '/action/rtcomments/status' endpoint, specifically within the 'timestamp' parameter. This vulnerability allows authenticated attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability could result in unauthorized data access, data modification, and privilege escalation, depending on the database permissions of the user.

Remediation

Users are advised to upgrade OSSN to version 8.9 or later. After upgrading, ensure that the application uses parameterized queries or prepared statements for all database interactions. Additionally, validate 'timestamp' input rigorously, allowing only expected numeric or ISO format values. It's also recommended to apply the principle of least privilege to the database account, enable query timeouts, and activate logging.