AutohomeCorp Frostmourne SQL Injection Vulnerability in Alarm Preview Component

A SQL injection vulnerability has been identified in AutohomeCorp Frostmourne versions through 1.0. The issue resides in the Alarm Preview component, specifically within the httpTest function of the /api/monitor-api/alarm/previewData file. This vulnerability allows authenticated users to submit raw SQL that is concatenated into backend SQL statements without proper parameterization, enabling the execution of arbitrary SQL expressions on the server's MySQL database.

Impact

Exploitation of this vulnerability allows for dynamic SQL injection, where an authenticated attacker can execute arbitrary SQL commands, potentially leading to unauthorized data access or manipulation. According to the vulnerability advisory, this issue is classified as critical.

Reproduction

To reproduce this vulnerability, an authenticated user must first enumerate a reachable MySQL data name using the 'findDataNameByType' API endpoint. Once a valid data name is obtained, the attacker can send a baseline query through the vulnerable 'httpTest' function in the Alarm Preview component, measuring the response time to confirm the injection point. After establishing the baseline, the attacker can inject arbitrary SQL payloads that are executed by the server against the MySQL database.