openDCIM SQL Injection Vulnerability in Config UpdateParameter
Vulnerability
A SQL injection vulnerability has been identified in openDCIM versions through 23.04, commit 4467e9c4. The issue arises in the Config::UpdateParameter method, where user-supplied input is directly interpolated into SQL queries without proper sanitation or the use of prepared statements. This vulnerability allows authenticated users to execute arbitrary SQL commands on the database.
Impact
Exploitation of this vulnerability allows for arbitrary SQL execution, which could be used to manipulate the database or extract sensitive information. In the context of the discovered vulnerability chain, this SQL injection is leveraged to achieve remote code execution.
Reproduction
The vulnerability can be reproduced by sending a POST request to 'install.php' or 'container-install.php' with the 'ldapaction' parameter set to 'Set' and including crafted values for the LDAP fields. The 'LDAPServer' field can be used to inject SQL payloads that exploit the SQL injection vulnerability.
Remediation
Users are advised to update to the patched version of openDCIM, where this vulnerability has been addressed by using prepared statements in the Config::UpdateParameter method and validating LDAP input before processing.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.