Yonyou KSOA SQL Injection Vulnerability in Catalog Save Function

A SQL injection vulnerability has been identified in Yonyou KSOA version 9.0. The issue resides in the '/kmc/save_catalog.jsp' file, where the application improperly handles the 'catalogid' parameter in HTTP GET requests. This lack of validation allows unauthenticated remote attackers to inject malicious SQL commands, potentially leading to unauthorized database access, data manipulation, or exploitation of the database server. The vulnerability affects environments using Microsoft SQL Server.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to execute arbitrary SQL commands. This could result in unauthorized access to the database, leakage of sensitive data, tampering with data, or even gaining administrative control over the database server.

Reproduction

The vulnerability can be reproduced by sending a GET request to 'http://<target_ip>:<port>/kmc/save_catalog.jsp' with the 'catalogid' parameter. The injected SQL payload can exploit the vulnerability by, for example, using SQL injection techniques such as stacked queries.

Remediation

It is recommended to use prepared statements for database queries to prevent SQL injection. Additionally, input validation should be implemented to ensure that the 'catalogid' parameter only contains expected values. Deploying a Web Application Firewall (WAF) to block common SQL injection patterns and disabling detailed database error messages on the frontend can also help mitigate the risk.