A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_user.jsp of the component HTTP GET Parameter Handler. Executing manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Yonyou KSOA 9.0 is vulnerable to a critical SQL injection flaw in the /worksheet/del_user.jsp file, allowing remote attackers to execute arbitrary SQL commands. This vulnerability, stemming from improper handling of the ID parameter, can lead to complete system compromise and data exfiltration due to the vendor's lack of response and public exploit availability.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP GET request to /worksheet/del_user.jsp containing a crafted SQL injection payload within the ID parameter.
Step 2: Request Processing: The vulnerable application receives the malicious request and attempts to process it.
Step 3: Query Construction: The application constructs a SQL query using the value of the ID parameter without proper sanitization.
Step 4: SQL Injection: The malicious SQL payload injected into the ID parameter is executed by the database server.
Step 5: Data Manipulation: The attacker's injected SQL commands are executed, allowing for data retrieval, modification, or system compromise, depending on the payload and database user privileges.
The vulnerability lies within the /worksheet/del_user.jsp file in Yonyou KSOA 9.0. The root cause is the insecure handling of the ID parameter within the HTTP GET request. The application fails to properly sanitize user-supplied input before incorporating it into a SQL query. Specifically, the application likely constructs a SQL query that directly includes the value of the ID parameter without any form of input validation or escaping. This allows an attacker to inject malicious SQL code, such as adding, deleting, or modifying data within the database, or even executing arbitrary commands on the server if the database user has sufficient privileges. The lack of vendor response exacerbates the risk, as no official patches or mitigations are available.