MixPHP Framework SQL Injection Vulnerability in joinOn Function

A SQL injection vulnerability exists in MixPHP Framework versions 2.x through 2.2.17. The issue arises in the joinOn function within BuildHelper.php, where user-supplied data in the 'on' array is directly concatenated into SQL JOIN clauses without proper validation or parameterization. This flaw allows attackers to manipulate the SQL query structure, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, create a SQL JOIN query using the query builder of MixPHP Framework versions 2.x through 2.2.17. Include crafted data in the 'on' array that exploits the lack of validation and parameterization. The injected identifiers can manipulate the JOIN clause, potentially leading to SQL injection.

Remediation

To address this vulnerability, update the joinOn function to use PDO prepared statements for SQL execution. Validate table and column names against an explicit allowlist derived from the database schema before interpolation into the SQL query.