Dromara MaxKey SQL Injection Vulnerability in StrUtils Utility

A SQL injection vulnerability has been identified in Dromara MaxKey versions through 3.5.13. The issue arises in the StrUtils.checkSqlInjection function within StrUtils.java, where user-controlled input in the filtersfields argument is not properly sanitized, allowing for SQL injection attacks to be executed remotely. This vulnerability has been publicly disclosed and exploited.

Impact

Exploitation of this vulnerability allows authenticated administrators to perform SQL injection attacks, with potential consequences including unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, an authenticated administrator must log into the MaxKey management interface and navigate to the 'Account Strategies' section. While creating or editing a strategy, the 'filters' field can be manipulated to include SQL injection payloads, bypassing the application's SQL injection prevention measures. The injected SQL is executed on the database, leading to unauthorized data access or manipulation.

Remediation

It is recommended to parameterize SQL queries and implement strict input validation for the 'filters' and 'orgIdsList' fields. Additionally, the SQL injection detection function should be enhanced to cover a broader range of SQL injection vectors.