FeMiner WMS SQL Injection Vulnerability in Basic Organizational Structure Module

A SQL injection vulnerability has been identified in the FeMiner Warehouse Management System (WMS) versions through 1.0. The issue resides in the Basic Organizational Structure Module, specifically within the file '/wms-master/src/basic/depart/depart_add_bg.php'. The vulnerability allows remote attackers to inject malicious SQL queries by manipulating the 'name' parameter, exploiting inadequate input validation and sanitization. This injection could lead to unauthorized database access, data manipulation, and exposure of sensitive information.

Impact

Exploitation of this vulnerability allows attackers to inject SQL commands that could be executed by the database. This could result in unauthorized data access, data manipulation, and in some cases, executing administrative operations on the database server.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/wms-master/src/basic/depart/depart_add_bg.php' with the 'name' parameter containing injected SQL code. This can be done using tools like SQLMap, which automates the process of finding and exploiting SQL injection vulnerabilities.

Remediation

It is recommended to use prepared statements and parameterized queries to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure that user input conforms to expected formats. Minimizing database user permissions and conducting regular security audits can also help mitigate such vulnerabilities.