Phishing Club SQL Injection Vulnerability in GetOrphaned Recipient Listing Endpoint

A blind SQL injection vulnerability has been identified in the Phishing Club framework, specifically in the GetOrphaned recipient listing endpoint of versions prior to 1.30.2. This vulnerability allows authenticated users to inject SQL expressions into the ORDER BY clause of a raw SQL query. The issue arises because the endpoint concatenates user-controlled sortBy values into the SQL query without proper validation against an allowlist. As a result, an authenticated attacker could manipulate the SQL query to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for authenticated blind SQL injection, where an attacker can inject SQL expressions that are executed by the database. This could be used to infer information from the database by observing changes in the application's behavior or response.

Reproduction

To reproduce this vulnerability, an authenticated user session is required, along with at least two orphaned recipients in the database. The vulnerability can be exploited by sending a request to the GetOrphaned endpoint with a sortBy parameter that includes a crafted SQL expression, such as a CASE statement that manipulates the sorting order based on a condition.

Remediation

Users can update to Phishing Club version 1.30.2 or later, where this vulnerability has been patched by validating the ORDER BY column against an allowlist and clearing unknown mappings.