Jinhe OA SQL Injection Vulnerability in User Selection Component

A SQL injection vulnerability has been identified in Jinhe OA version 1.0, specifically within the UserSel.aspx file of the PlanSummarize component. The vulnerability arises because the DeptIDList parameter is improperly validated, allowing remote attackers to execute arbitrary SQL commands on the backend database. This flaw could lead to unauthorized access to sensitive data, potential privilege escalation, and in some cases, remote code execution on the database server.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive user and business data, potential privilege escalation through database access, and in some cases, remote code execution on the database server.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request to the UserSel.aspx page with a crafted DeptIDList parameter. The SQL injection can be exploited by injecting SQL payloads that manipulate the application's database queries. For example, adding SQL commands that, when executed, could delay the response or extract database information.

Remediation

To address this vulnerability, it is recommended to implement parameterized queries using prepared statements, apply strict input validation for all user inputs, enforce the principle of least privilege for database accounts, conduct a comprehensive code security audit, and deploy a web application firewall as temporary protection.