A flaw has been found in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_update.jsp. This manipulation of the argument Report causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Yonyou KSOA 9.0 is vulnerable to a critical SQL injection flaw, allowing remote attackers to execute arbitrary SQL commands. This vulnerability, located in the /worksheet/work_update.jsp file, can lead to data breaches, system compromise, and loss of confidentiality. The vendor has not provided a patch, increasing the risk of widespread exploitation.
Step 1: Payload Delivery: An attacker crafts a malicious HTTP request targeting the /worksheet/work_update.jsp endpoint. The request includes a crafted Report parameter containing a SQL injection payload.
Step 2: Request Processing: The vulnerable application receives the HTTP request and processes the Report parameter value.
Step 3: SQL Query Construction: The application constructs a SQL query using the unsanitized Report parameter value.
Step 4: Query Execution: The database server executes the maliciously crafted SQL query.
Step 5: Data Exfiltration/System Compromise: The attacker's injected SQL code allows them to perform actions such as reading sensitive data, modifying database contents, or potentially gaining remote code execution (RCE) depending on the database configuration and the complexity of the injected payload.
The vulnerability stems from insufficient input validation on the Report parameter within the /worksheet/work_update.jsp file. Specifically, the application fails to properly sanitize user-supplied input before incorporating it into a SQL query. This allows an attacker to inject malicious SQL code, which is then executed by the database server. The lack of parameterized queries or prepared statements exacerbates the issue, making it easier for attackers to craft effective payloads. The root cause is a missing or inadequate input validation mechanism, allowing for the direct injection of SQL commands.