There is a SQL Injection Vulnerability in wgcloud v2.3.7 开源版 #91
Comments
|
Thank you very much for your suggestion
Best Regards
WGCLOUD
发件人: ***@***.***
发送时间: 2024-06-14 18:34
收件人: tianshiyeben/wgcloud
抄送: Subscribed
主题: [tianshiyeben/wgcloud] There is a SQL Injection Vulnerability in wgcloud v2.3.7 开源版 (Issue #91)
[vulnerable type] SQL Injection
[version] v2.3.7
[details]
configure a database (i use the wgcloud's default databse 'wgcloud')
then configure table as below
image.png (view on web)
just wait for a moment and see log:
image.png (view on web)
we can see database name is wgcloud.
image.png (view on web) in RDSConnection.java , the system use a blacklist as filter, but it's hard to filter all sql injection words.
[repair suggetions]
Delete this feature or use white list
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
[vulnerable type] SQL Injection
[version] v2.3.7
[details]
configure a database (i use the wgcloud's default databse 'wgcloud')
then configure table as below
just wait for a moment and see log:
we can see database name is wgcloud.
[repair suggetions]
Delete this feature or use white list
The text was updated successfully, but these errors were encountered: