Dromara UJCMS JDBC Connection Injection Vulnerability

A critical injection vulnerability has been identified in Dromara UJCMS version 10.0.2, specifically within the ImportDataController component. The issue arises in the importChanel function, where user-supplied driverClassName and url parameters are directly passed to establish a database connection. This lack of validation allows for exploitation via arbitrary file read or remote code execution. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary file read or remote code execution. The file read capability can be used to access sensitive system files, such as Windows initialization files or Unix password files. If the application is using a vulnerable JDBC driver, the remote code execution could be leveraged to execute system commands on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the importChanel endpoint of the ImportDataController with a crafted DataSourceSqlParams object. Include a malicious JDBC URL that exploits the vulnerability, such as one that reads arbitrary files from the victim server or executes commands using a vulnerable database driver.

Remediation

To address this vulnerability, do not accept user input for the driverClassName or JDBC URL. Instead, hardcode allowed drivers and securely construct JDBC URLs on the backend. Implement parameter allowlisting to remove dangerous URL parameters, and ensure the application runs with limited file system permissions.