#87 [security vulnerability] SQL Injection vulnerabilities
Recently, during a focused security assessment, our team identified multiple SQL Injection vulnerabilities in WebChess.
1. Direct SQL Injection (Unsanitized Input)
In mainmenu.php, the application frequently incorporates raw POST parameters (e.g., opponent, gameID) directly into SQL queries without any form of sanitization or prepared statements. This failure to neutralize user-controlled input creates a high-risk SQL Injection (SQLi) attack surface, allowing an attacker to manipulate query logic, bypass authentication, or extract sensitive data.
2. Second-Order SQL Injection (Trust Boundary Violation)
Furthermore, multiple Second-Order SQL Injection vulnerability exists. The application unconditionally trusts data retrieved from the database, using these results as part of subsequent SQL queries. The vulnerable scripts are:
mainmenu.php
chessutils.php
undo.php
chessdb.php
This kind of vulnerabilities create a "pollution" effect: an attacker can inject a malicious payload into a seemingly benign field (like a username or game setting). When this "poisoned" data is later retrieved and used in a secondary query — often in a different context or even a separate database (e.g., the admin database) — the payload triggers, leading to a cross-database compromise.
