V2Board SQL Injection Vulnerability in User Sorting Function

A SQL injection vulnerability has been identified in V2Board versions through 1.7.4. The issue arises in the UserController, where the 'sort' parameter from user input is directly passed to the 'orderBy' method without any validation. This flaw allows an authenticated admin to sort users by any database column, including sensitive fields such as passwords and tokens, potentially leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, which could be used to manipulate database queries, access unauthorized data, or execute administrative operations on the database.

Reproduction

To reproduce this vulnerability, an authenticated admin can send a request to the user sorting function in the Admin/UserController. The request must include a 'sort' parameter with a value that specifies a database column to sort by. Since the input is not validated, it can be manipulated to include SQL injection payloads that exploit the application's database query handling.

Remediation

To address this vulnerability, it's recommended to validate the 'sort' parameter against a predefined allowlist of acceptable column names before applying it to the database query. Additionally, the sorting direction should be checked to ensure only 'ASC' or 'DESC' values are used.