Headline
DerbyNet 9.0 print/render/racer.inc SQL Injection
DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/racer.inc.
CVE ID: CVE-2024-30923
Description:
An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, specifically within the print/render/racer.inc component. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting improper sanitization of the where clause in Racer Document Rendering.
Vulnerability Type: SQL Injection
Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet
Affected Product Code Base: DerbyNet - v9.0
Affected Component: print/render/racer.inc
Attack Type: Remote
Impact:
- Code execution: True
- Information Disclosure: True
Attack Vectors:
The vulnerability is present in the print/render/racer.inc component of DerbyNet, due to insufficient sanitization of the where parameter within the URL. Attackers can manipulate SQL queries by injecting malicious SQL commands through the where parameter, as demonstrated in the following URL:
http://127.0.0.1:8000/render-document.php/award/GoldCupAwardDocument?where=1
This manipulation could lead to unauthorized access to database information and potential code execution on the server hosting the application.
Discoverer: Valentin Lobstein
References:
- Official website: http://derbynet.com
- Source code on GitHub: https://github.com/jeffpiazza/derbynet