MapControl SQL Injection
Release date: 29/07/2019
Last update: 29/07/2019
Affected version(s): 8
Remediated version: 8.1
Severity Rating: High
Impact: Exposure of sensitive information
Attack vector: Remote without authentication
Details: It is possible to insert malicious SQL code into the application as an unauthenticated user. The parameter ‘mapKey’ in the Set page is vulnerable to SQL injection. The page is at the following location: https://<Host>/MapControl80/ApplicationEngine/Search/Refine/Set.
The following request is a proof of concept and will cause an SQL error:
Recommendation: Update to the latest patch.
Discovered by: David Chadwick from Content Security Pty. Ltd.