Source: cna@vuldb.com
A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/agent_worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Yonyou KSOA 9.0 is vulnerable to a critical SQL injection attack, allowing remote attackers to potentially compromise the database and gain unauthorized access to sensitive information. The vulnerability, located in /worksheet/agent_worksadd.jsp, is easily exploitable due to a lack of input validation on the ID parameter, and a public exploit is available. The vendor has not responded, making this a high-priority security risk.
Step 1: Request Initiation: The attacker crafts a malicious HTTP GET request targeting the /worksheet/agent_worksadd.jsp file.
Step 2: Payload Delivery: The attacker includes a specially crafted SQL injection payload within the ID parameter of the GET request. This payload is designed to manipulate the underlying SQL query.
Step 3: Server-Side Processing: The vulnerable application receives the malicious request and processes the ID parameter.
Step 4: Query Execution: The application constructs an SQL query using the attacker-supplied ID value without proper sanitization. The malicious payload is directly incorporated into the query.
Step 5: Database Interaction: The crafted SQL query, now containing the attacker's payload, is executed against the database.
Step 6: Data Exfiltration/Manipulation: Depending on the payload, the attacker can potentially extract sensitive data (e.g., usernames, passwords), modify existing data, or even gain complete control over the database server.
The vulnerability stems from insufficient input validation on the ID parameter within the /worksheet/agent_worksadd.jsp file. Specifically, the application fails to properly sanitize user-supplied input before incorporating it into an SQL query. This allows an attacker to inject malicious SQL code through the ID parameter. The root cause is a missing or inadequate implementation of input validation and parameterized queries. The application directly concatenates the user-controlled ID value into an SQL query string, making it susceptible to SQL injection attacks. The lack of prepared statements or stored procedures further exacerbates the issue.
While no specific APT groups are definitively linked to this vulnerability at this time, the public availability of the exploit and the vendor's lack of response make it attractive to a wide range of threat actors. This vulnerability could be leveraged by financially motivated actors for data theft or ransomware attacks. CISA KEV: Not Listed (as of this report).
Network Intrusion Detection Systems (NIDS) should be configured to detect suspicious HTTP GET requests containing SQL injection payloads, such as common SQL keywords (e.g., SELECT, UNION, WHERE, OR) in the ID parameter of requests to /worksheet/agent_worksadd.jsp.
Web Application Firewalls (WAFs) can be deployed to filter malicious requests based on SQL injection signatures.
Review web server access logs for unusual activity, such as a high volume of requests to /worksheet/agent_worksadd.jsp or requests containing suspicious payloads in the ID parameter.
Monitor database server logs for suspicious queries or unauthorized access attempts.
Implement file integrity monitoring to detect any unauthorized modifications to /worksheet/agent_worksadd.jsp.
Implement input validation on the ID parameter to sanitize user-supplied input. This includes filtering out or escaping special characters that could be used in SQL injection attacks.
Use parameterized queries or prepared statements to prevent SQL injection. This ensures that user-supplied input is treated as data and not as executable code.
Apply the latest security patches from Yonyou (if available).
If patching is not immediately possible, consider implementing a Web Application Firewall (WAF) to filter malicious requests.
Review and harden database server configurations, including limiting user privileges and enabling auditing.
Conduct regular security audits and penetration testing to identify and address vulnerabilities.