Deerwms Deer-WMS-2 SQL Injection Vulnerability in AuthUser AllocatedList Endpoint

A critical SQL injection vulnerability has been identified in DeerWMS Deer-WMS-2 versions up to 3.3. The issue arises in the '/system/role/authUser/allocatedList' endpoint, where the 'params[dataScope]' argument is user-controllable and not properly sanitized. This lack of input validation, combined with the absence of prepared statements in the final SQL query execution, allows attackers to manipulate the parameter and execute arbitrary SQL commands. The vulnerability can be exploited remotely, potentially leading to unauthorized access to sensitive database information or complete control over the server.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database. Additionally, such vulnerabilities can sometimes be leveraged to execute arbitrary code on the server, depending on the application's architecture and database management system.

Reproduction

To reproduce this vulnerability, send a POST request to the '/system/role/authUser/allocatedList' endpoint. Include the 'params[dataScope]' parameter with a crafted payload that exploits the SQL injection flaw, such as one that uses 'extractvalue' to retrieve database information.