danynab movify-j ReviewServiceImpl.java getByMovieId sql injection

Vulnerability

The vulnerability resides in the getByMovieIdAndUsername method of app/business/impl/ReviewServiceImpl.java in the movify-j application. The method constructs a SQL query by directly concatenating the movieId and username parameters without sanitization, leading to SQL injection. The affected code is present in all versions prior to commit c3085e01936a4d7eff1eda3093f25d56cc4d2ec5 [1].

Exploitation

An attacker with network access to the application can exploit this vulnerability by sending crafted requests that include malicious SQL payloads in the movieId or username parameters. No authentication is explicitly required for the vulnerable endpoint, though the patch also adds authentication checks to the related controller, suggesting the endpoint may have been intended to be protected [1]. The attacker does not need any special privileges; they simply need to supply input that breaks out of the intended query structure.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized disclosure of sensitive data, modification or deletion of records, and potentially full compromise of the database server. The impact is critical as it enables data theft or destruction.

Mitigation

The fix is provided in commit c3085e01936a4d7eff1eda3093f25d56cc4d2ec5, which replaces the string concatenation with parameterized queries using Expr.eq [1]. Users should apply this patch or update to a version that includes it. No workarounds are documented in the available references.