BUG_Author: R1ckyZ
Affected Version: dataCompare ≤ 1.0.1
Vendor: dromara
Software: dataCompare
Vulnerability Files:
src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java
Description:
The DbConfig does not validate or sanitize the JDBC URL. An attacker can inject dangerous connection parameters such as allowLoadLocalInfile, allowUrlInLocalInfile, and autoDeserialize into the JDBC URL. When the connection test is performed in DbconfigServiceImpl, these properties are activated, potentially leading to arbitrary file read, SSRF, or deserialization-based remote code execution.
Proof of Concept:
- After logging in, access the API
/system/dbconfig/testConnection and pass a carefully crafted JDBC connection via POST parameters, as shown in the image below.
BUG_Author: R1ckyZ
Affected Version: dataCompare ≤ 1.0.1
Vendor: dromara
Software: dataCompare
Vulnerability Files:
src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.javaDescription:
The
DbConfigdoes not validate or sanitize the JDBC URL. An attacker can inject dangerous connection parameters such asallowLoadLocalInfile,allowUrlInLocalInfile, andautoDeserializeinto the JDBC URL. When the connection test is performed inDbconfigServiceImpl, these properties are activated, potentially leading to arbitrary file read, SSRF, or deserialization-based remote code execution.Proof of Concept:
/system/dbconfig/testConnectionand pass a carefully crafted JDBC connection via POST parameters, as shown in the image below.