Jiujiujia Three-Dot Ordering System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Jiujiujia Three-Dot Ordering System, specifically in the JJJfood and JJJshop_Food products, all versions up to 20260103. The issue arises in the file '/index.php/api/product.category/index', where user input in the 'latitude' parameter is improperly sanitized before being incorporated into SQL queries. This flaw allows remote attackers to manipulate the input and execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive database information. The vulnerability has been publicly disclosed and is actively exploitable.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/index.php/api/product.category/index' endpoint. The 'latitude' parameter should be crafted to include SQL injection payloads, such as SQL syntax that exploits the application's SQL query handling. The 'app_id' parameter must be set to '10001'.

Remediation

It is recommended to filter user input parameters to prevent SQL injection, possibly by using prepared statements or parameterized queries.