Cloudlog SQL Injection Vulnerability in VUCC Details Functionality

A SQL injection vulnerability has been identified in Cloudlog versions through 2.7.5. This vulnerability allows authenticated users, including those with the default 'operator' role, to execute arbitrary SQL commands. The issue arises in the 'vucc_details_ajax' function within 'application/controllers/Awards.php', where the 'Gridsquare' POST parameter is not properly sanitized. The injected payload is concatenated into a raw SQL query in the 'vucc_qso_details' function, leading to potential database compromise.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, with the potential to fully compromise the database by reading, modifying, or deleting data.

Reproduction

To reproduce this vulnerability, log into the Cloudlog application as an authenticated user with the 'operator' role. Once logged in, send a POST request to the 'awards/vucc_details_ajax' endpoint with the 'Gridsquare' parameter containing the injected SQL payload, and the 'Band' parameter set to 'All'. The injected SQL will be executed, demonstrating the vulnerability.

Remediation

Users can upgrade to Cloudlog version 2.7.6, which includes patches for this vulnerability.