Song-Li cross_browser SQL Injection Vulnerability in Details Endpoint

A SQL injection vulnerability has been identified in the Song-Li cross_browser application, specifically in the details endpoint of the legacy MySQL-backed Flask component. The vulnerability arises because the application directly concatenates user-supplied ID values from JSON request bodies into SQL SELECT statements without proper parameterization or escaping. This flaw allows remote attackers to manipulate the SQL query and access unintended database records. In some MySQL configurations, it could also enable broader data exfiltration or facilitate blind SQL injection techniques.

Impact

Exploitation of this vulnerability allows attackers to retrieve unauthorized data from the application's fingerprint database. Depending on the MySQL permissions and the injection method used, it may also be possible to exfiltrate additional data or conduct blind SQL injection attacks. The vulnerability could disrupt service by causing delays or degrading performance, particularly if time-based or resource-intensive SQL injection techniques are employed.

Reproduction

To reproduce this vulnerability, send a POST request to the /details endpoint with a JSON payload that includes a crafted ID value. The injected SQL payload should exploit the application's SQL query construction by, for example, using SQL injection techniques such as tautology-based injections or comment-based payloads. The server will execute the manipulated query, potentially returning unauthorized database information.

Remediation

Do not deploy the legacy Flask application with MySQL backend. If the application is already running, remove or disable the vulnerable endpoint. Consider using the non-SQL experimental backend or a patched version that implements parameterized queries. If the legacy backend must be used, restrict access to the endpoint to trusted users and networks, and monitor for signs of exploitation.