Based on the information in the web page screenshot, the following key details about the vulnerability can be extracted: ### Vulnerability Description - **Vulnerability Type**: Arbitrary File Read and Deserialization - **Affected Versions**: dataCompare ≤ 1.0.1 - **Software**: dataCompare - **Vendor**: dromara - **Bug Author**: R1ckyZ - **Vulnerable File**: `DbconfigServiceImpl.java` ### Vulnerability Details - **Description**: The `DbConfig` class does not validate or sanitize the JDBC URL. Attackers can inject dangerous connection parameters such as `allowLoadLocalInfile`, `allowUrlInLocalInfile`, and `autoDeserialize` into the JDBC URL. When the connection test is executed in `DbconfigServiceImpl`, these properties are activated, potentially leading to arbitrary file read, SSRF, or remote code execution via deserialization. ### Code Example ```java @RequestMapping(value = "/testConnection", method = RequestMethod.POST) @ResponseBody public AjaxResult testConnection(Dbconfig dbconfig) { try { dbconfigService.testConnection(dbconfig); } catch (Exception e) { e.printStackTrace(); return error("Error message: " + e.getMessage()); } return success("Connection test successful"); } ``` ### Proof of Concept (PoC) 1. After logging in, access the API `/system/dbconfig/testConnection` and pass a carefully crafted JDBC connection via POST parameters, as shown in the screenshot. ### Security Recommendations - Validate and sanitize JDBC URL parameters. - Avoid using untrusted input for dynamic queries or connection configurations in code. - Apply secure coding practices to prevent deserialization and arbitrary file read attacks.