Deerwms Deer-WMS-2 SQL Injection Vulnerability in Unallocated List Endpoint

A critical SQL injection vulnerability has been identified in DeerWMS Deer-WMS-2 versions through 3.3. The issue arises in the '/system/role/authUser/unallocatedList' endpoint, where the 'params[dataScope]' parameter is user-controllable and not properly sanitized. This lack of input validation, combined with the absence of prepared statements in the final SQL query execution, allows attackers to manipulate the parameter and inject malicious SQL. The vulnerability can be exploited remotely, potentially leading to unauthorized access to sensitive database information or complete control over the server.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database. Additionally, according to the vulnerability's advisory, this SQL injection could be leveraged to gain full control over the server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/system/role/authUser/unallocatedList' endpoint. Include a 'params[dataScope]' parameter with a crafted SQL payload that exploits the injection flaw, such as one that uses 'extractvalue' to retrieve database information.