There is a SQL Injection Vulnerability in wgcloud v2.3.7 开源版

[WDLegend]

[vulnerable type] SQL Injection [version] v2.3.7

[details] configure a database (i use the wgcloud's default databse 'wgcloud') then configure table as below

just wait for a moment and see log:

we can see database name is wgcloud.

in RDSConnection.java , the system use a blacklist as filter, but it's hard to filter all sql injection words.

[repair suggetions] Delete this feature or use white list

[tianshiyeben]

Thank you very much for your suggestion

Best Regards WGCLOUD

发件人： @. 发送时间： 2024-06-14 18:34 收件人： tianshiyeben/wgcloud 抄送： Subscribed 主题： [tianshiyeben/wgcloud] There is a SQL Injection Vulnerability in wgcloud v2.3.7 开源版 (Issue #91) [vulnerable type] SQL Injection [version] v2.3.7 [details] configure a database (i use the wgcloud's default databse 'wgcloud') then configure table as below image.png (view on web) just wait for a moment and see log: image.png (view on web) we can see database name is wgcloud. image.png (view on web) in RDSConnection.java , the system use a blacklist as filter, but it's hard to filter all sql injection words. [repair suggetions] Delete this feature or use white list — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.>