Wanhu ezOFFICE wf_printnum.jsp sql injection

Vulnerability

The vulnerability resides in the file defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp in Wanhu ezOFFICE version 11.1.0. The recordId parameter is not properly sanitized, allowing SQL injection. The attack is unauthenticated and can be triggered remotely via a crafted GET request. [1]

Exploitation

An attacker can exploit this by sending a specially crafted HTTP GET request to the vulnerable endpoint with a malicious recordId value. The reference demonstrates using WAITFOR DELAY to confirm blind SQL injection, and SQLmap can automate exploitation. No authentication is required. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to data exfiltration, modification, or denial of service. The vulnerability is rated critical due to the ease of exploitation and potential for full database compromise. [1]

Mitigation

The vendor has released a patch; users should upgrade to the latest version from the official website (https://www.whir.net/). As a temporary workaround, restrict access to the vulnerable endpoint via WAF or network controls, though bypass risks exist. [1]