OFCMS SQL Injection Vulnerability in JSON Query Interface

A SQL injection vulnerability has been identified in OFCMS version 1.1.3 within the JSON Query Interface. The issue arises in the SystemParamController component, specifically in the Query function of the file located at 'ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/system/SystemParamController.java'. The vulnerability allows remote attackers to manipulate the 'field' parameter, which is improperly validated and directly appended to the 'ORDER BY' clause of the SQL query. This flaw enables blind SQL injection by crafting complex SQL expressions, including nested subqueries and Boolean logic.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the OFCMS admin backend and obtain the session cookie. Then, send a POST request to '/ofcms_admin/admin/system/param/query.json' with a crafted 'field' parameter that exploits the SQL injection vulnerability. The injection can be verified by extracting data, such as the admin user's password, from the database through the SQL injection payload.

Remediation

It is recommended to filter user input data and implement a whitelist for the 'field' parameter, allowing only predefined fields to be used in the SQL query.