There is a SQL Injection Vulnerability in wgcloud v2.3.7 开源版

[WDLegend]

[vulnerable type] SQL Injection
[version] v2.3.7

[details]
configure a database (i use the wgcloud's default databse 'wgcloud')
then configure table as below

just wait for a moment and see log:

we can see database name is wgcloud.

in RDSConnection.java , the system use a blacklist as filter, but it's hard to filter all sql injection words.

[repair suggetions]
Delete this feature or use white list

[tianshiyeben]

Thank you very much for your suggestion Best Regards WGCLOUD 发件人： ***@***.*** 发送时间： 2024-06-14 18:34 收件人： tianshiyeben/wgcloud 抄送： Subscribed 主题： [tianshiyeben/wgcloud] There is a SQL Injection Vulnerability in wgcloud v2.3.7 开源版 (Issue #91) [vulnerable type] SQL Injection [version] v2.3.7 [details] configure a database (i use the wgcloud's default databse 'wgcloud') then configure table as below image.png (view on web) just wait for a moment and see log: image.png (view on web) we can see database name is wgcloud. image.png (view on web) in RDSConnection.java , the system use a blacklist as filter, but it's hard to filter all sql injection words. [repair suggetions] Delete this feature or use white list — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>