A security vulnerability has been detected in Yonyou KSOA 9.0. This affects an unknown part of the file /worksheet/agent_work_report.jsp. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Yonyou KSOA 9.0 is vulnerable to a critical SQL injection flaw, allowing remote attackers to execute arbitrary SQL commands. This unpatched vulnerability, affecting the /worksheet/agent_work_report.jsp file, poses a significant risk of data breaches and system compromise. The vendor has not responded to the disclosure, increasing the urgency of mitigation.
Step 1: Payload Delivery: The attacker crafts a malicious SQL injection payload. This payload is designed to manipulate the SQL query executed by the application.
Step 2: Request Submission: The attacker sends a specially crafted HTTP request to the vulnerable endpoint /worksheet/agent_work_report.jsp, including the malicious payload within the ID parameter.
Step 3: Query Execution: The application receives the request and, due to the lack of input validation, directly incorporates the attacker's payload into a SQL query without proper sanitization.
Step 4: Database Interaction: The database server executes the modified SQL query, which now includes the attacker's malicious code.
Step 5: Data Exfiltration/System Compromise: Depending on the payload, the attacker can extract sensitive information (e.g., usernames, passwords, database contents) or execute commands on the database server, potentially leading to complete system compromise.
The vulnerability stems from insufficient input validation of the ID parameter within the /worksheet/agent_work_report.jsp file. Specifically, the application fails to properly sanitize user-supplied input before incorporating it into a SQL query. This allows an attacker to inject malicious SQL code, which is then executed by the database server. The root cause is a missing or inadequate implementation of parameterized queries or input sanitization functions, leading to the direct embedding of user-controlled data into SQL statements. This lack of proper input validation allows for the construction of SQL queries that can bypass security measures, potentially leading to unauthorized access, data modification, or complete system takeover.