uzy-ssm-mall SQL Injection Vulnerability in Product and Order Components

A SQL injection vulnerability has been identified in uzy-ssm-mall version 1.1.0. This vulnerability allows remote attackers to access sensitive information by exploiting the ProductMapper.xml and OrderUtil.java components. The issue arises because multiple endpoints accept an external 'orderBy' parameter, which is directly passed into 'OrderUtil' and concatenated into the 'ORDER BY' clause in MyBatis XML without proper validation. This creates a dynamic SQL injection risk, where attackers can manipulate the SQL query to their advantage.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/product/{index}/{count}' endpoint with a crafted 'orderBy' parameter. The injected SQL payload can be verified by observing the application's response, which will indicate whether the SQL injection was successful.

Remediation

To address this vulnerability, it is recommended not to concatenate user-controlled input into SQL statements using dynamic placeholders. Instead, use safe parameterization or strict server-side mapping. Additionally, implement a whitelist of allowed sortable field names for the 'orderBy' parameter and reject any unexpected SQL keywords, expressions, or special characters in sorting-related input before it reaches the data access layer.