Linlinjava Litemall Argument Injection Vulnerability in Database Setting Handler

A critical argument injection vulnerability has been identified in Linlinjava Litemall versions through 1.8.0. The issue arises in the Database Setting Handler, specifically within the backup and load functions of the DbUtil.java file. The vulnerability allows for the injection of additional command-line arguments into mysqldump and mysql commands by manipulating the db or password parameters. This exploitation can be performed remotely, and the vulnerability has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for arbitrary file writing, which could lead to remote code execution by scheduling malicious cron jobs or exfiltrating database contents through a web-accessible directory.

Reproduction

The vulnerability can be reproduced by injecting a command-line argument, such as '--result-file', into the db or password parameters of the backup or load functions. This can be done by sending a crafted request that includes the malicious payload in the vulnerable parameters. Once the argument injection is successful, the injected command will be executed with the original command, demonstrating the exploitation of the vulnerability.

Remediation

To address this vulnerability, replace the Runtime.exec() method with ProcessBuilder, using an argument array to specify the command and its parameters. This change prevents argument injection by properly handling the command execution.