Sparx Pro Cloud Server Authentication Bypass Vulnerability Allowing Unauthenticated SQL Injection

An authentication bypass vulnerability has been identified in Sparx Pro Cloud Server versions through 6.1. This vulnerability allows attackers to execute arbitrary SQL queries without authentication. The issue arises because the server's authentication mechanism relies on the requested URL, enabling attackers to omit the 'model' query parameter and instead send the model name within the binary blob of a POST request. As a result, unauthorized SQL query execution is possible.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, which could lead to unauthorized data access or manipulation within the application's database.

Reproduction

To reproduce this vulnerability, send a POST request to the Sparx Pro Cloud Server endpoint. Omit the 'model' query parameter and include the model name in the binary blob of the request. The server will process the request without authentication, allowing the execution of arbitrary SQL queries.