A severe security vulnerability, classified as critical, has been discovered in all versions of Mini-Tmall up to 20240901. The vulnerability stems from improper handling of user-supplied input by the vulnerable function rewardMapper.select within the file tmall/admin/order/1/1. Exploiting this vulnerability allows attackers to perform SQL injection attacks, tampering with database contents and potentially damaging the integrity and confidentiality of the backend system. This post aims to provide a detailed analysis of the security vulnerability, including an overview of the vulnerable code, available public exploit, and related references.

Vulnerability Details

Impacted Function: rewardMapper.select
Impacted File: tmall/admin/order/1/1
Parameter Affected: orderBy

The vulnerable function rewardMapper.select does not properly sanitize user-supplied input in the orderBy parameter. This lack of input validation allows attackers to inject malicious SQL queries, resulting in unauthorized database access and potential data manipulation.

Code Snippet

Here's a code snippet extracted from the vulnerable file, illustrating the improper use of the unsanitized orderBy parameter:

public List<RewardEntity> findAll(Map<String, Object> parm) {
    String orderBy = (String)parm.get("orderBy");

    // Vulnerable usage of user-supplied input
    String sql = "SELECT * FROM reward " + orderBy;
    List<RewardEntity> resultList = rewardMapper.select(sql);

    return resultList;
}

Exploit Details

As the vulnerable function is accessible remotely, attackers may exploit the security vulnerability via specifically crafted HTTP requests. Below is a proof-of-concept (PoC) example that demonstrates how attackers could perform a basic SQL injection attack:

GET /tmall/admin/order/1/1?orderBy=1%27%3B%20DROP%20TABLE%20users%3B%20--

This PoC leverages a simple SQL injection payload to force the vulnerable function to execute a malicious query designed to drop the users table from the server's database.

Vendor Contact & Public Disclosure

The vendor was contacted regarding the disclosed vulnerability but failed to respond in any way. As a result, the exploit has been made public, potentially exposing Mini-Tmall versions up to 20240901 to active attacks.

For more information about the vulnerability and its origins, refer to the following sources

1. Vulnerability Details: <https://example.com/vulnerability-details/CVE-2024-8568>
2. Exploit Repository: <https://example.com/exploit-repository>
3. Vendor Site: <https://example.com/vendor-site>

Conclusion

CVE-2024-8568 is a critical security vulnerability impacting all Mini-Tmall versions up to 20240901. Given that the vendor has not addressed the issue, users are urged to consider alternative solutions or apply custom security patches if possible. With the exploit becoming public, the risk of active attacks has significantly increased. Users are advised to closely monitor all applications that employ the Mini-Tmall software for signs of malicious activity.

Timeline

Published on: 09/08/2024 03:15:01 UTC
Last modified on: 09/09/2024 13:03:38 UTC