Source: cna@vuldb.com
A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /worksheet/agent_worksdel.jsp of the component HTTP GET Parameter Handler. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Yonyou KSOA 9.0 is vulnerable to a critical SQL injection flaw, allowing attackers to remotely execute arbitrary database queries. This vulnerability, located in the /worksheet/agent_worksdel.jsp file, can lead to complete system compromise and data exfiltration. The vendor has not responded to the disclosure, making this a high-risk situation.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP GET request targeting the /worksheet/agent_worksdel.jsp endpoint.
Step 2: Parameter Manipulation: The attacker includes a crafted SQL injection payload within the ID parameter of the GET request. This payload is designed to alter the intended SQL query.
Step 3: Request Processing: The vulnerable agent_worksdel.jsp file receives the malicious request and extracts the attacker-controlled ID parameter.
Step 4: Query Execution: The application constructs a SQL query using the attacker-supplied ID parameter without proper sanitization. The malicious payload is directly incorporated into the query.
Step 5: Database Interaction: The crafted SQL query, now containing the attacker's payload, is executed against the database.
Step 6: Data Exfiltration/System Compromise: Depending on the payload, the attacker can then extract sensitive data (e.g., usernames, passwords), modify database contents, or potentially gain remote code execution on the server.
The vulnerability stems from improper input validation of the ID parameter within the /worksheet/agent_worksdel.jsp file. Specifically, the application fails to sanitize user-supplied input before incorporating it into a SQL query. This allows an attacker to inject malicious SQL code, altering the intended query logic. The root cause is a lack of parameterized queries or prepared statements, which would have prevented the injection of attacker-controlled data into the query. The absence of input validation, such as filtering or escaping special characters, further exacerbates the issue. The vulnerable code likely directly concatenates the ID parameter into a SQL query string without proper sanitization.
While no specific APT groups are definitively linked to the exploitation of this vulnerability at this time, the public availability of the exploit and the severity of the vulnerability make it attractive to various threat actors. This vulnerability could be leveraged by ransomware groups or for data theft. CISA KEV status: Likely to be added soon due to the public exploit and lack of vendor response.
Network Intrusion Detection Systems (NIDS) should be configured to detect SQL injection attempts. Look for suspicious patterns in HTTP GET requests, such as the use of SQL keywords (e.g., SELECT, UPDATE, INSERT, DELETE, UNION, OR, AND) within the ID parameter of requests to /worksheet/agent_worksdel.jsp.
Web Application Firewalls (WAFs) can be deployed to filter malicious requests. Configure the WAF to block requests containing SQL injection payloads.
Review web server access logs for unusual activity, such as a high volume of requests to /worksheet/agent_worksdel.jsp or requests containing suspicious payloads in the ID parameter.
Monitor database query logs for unexpected or malicious queries. Look for queries that contain attacker-controlled input or that perform unauthorized operations.
Implement file integrity monitoring to detect any unauthorized modifications to the /worksheet/agent_worksdel.jsp file or other related files.
Implement input validation: Sanitize all user-supplied input, especially the ID parameter, before using it in SQL queries. Use a whitelist approach to allow only expected characters and formats.
Use parameterized queries or prepared statements: This is the most effective way to prevent SQL injection. Parameterized queries treat user input as data, not as executable code.
Apply the latest security patches: If the vendor releases a patch, apply it immediately. Monitor vendor advisories for updates.
Implement a Web Application Firewall (WAF): A WAF can help to filter malicious requests and protect against SQL injection attacks.
Review and harden database configurations: Ensure that the database server is configured securely, with strong passwords and restricted access.
Implement the principle of least privilege: Grant database users only the minimum necessary permissions.
Conduct regular vulnerability scans: Use vulnerability scanners to identify and remediate security vulnerabilities in the application and infrastructure.
Consider a temporary workaround: If patching is not immediately feasible, consider blocking access to the /worksheet/agent_worksdel.jsp file or restricting access to the affected functionality until a patch is available.