Vulnerability: Arbitrary File Read and Deserialization in dataCompare ≤ 1.0.1

**BUG_Author:** R1ckyZ

**Affected Version:** dataCompare ≤ 1.0.1

**Vendor:** [dromara](https://github.com/dromara)

**Software:** [dataCompare](https://github.com/dromara/dataCompare)

**Vulnerability** **Files:**

- `src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java`

## Description:

The `DbConfig` does not validate or sanitize the JDBC URL. An attacker can inject dangerous connection parameters such as `allowLoadLocalInfile`, `allowUrlInLocalInfile`, and `autoDeserialize` into the JDBC URL. When the connection test is performed in `DbconfigServiceImpl`, these properties are activated, potentially leading to arbitrary file read, SSRF, or deserialization-based remote code execution.

<img width="638" height="283" alt="Image" src="https://github.com/user-attachments/assets/b1edfafe-91be-41ef-8340-951df14e1a61" />

<img width="975" height="573" alt="Image" src="https://github.com/user-attachments/assets/ef3f4224-2419-49a8-9b10-5b43d8274e21" />

## Proof of Concept:

1. After logging in, access the API `/system/dbconfig/testConnection` and pass a carefully crafted JDBC connection via POST parameters, as shown in the image below.

<img width="1448" height="712" alt="Image" src="https://github.com/user-attachments/assets/2782f9fe-c701-494d-b41b-d5060ab34136" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability: Arbitrary File Read and Deserialization in dataCompare ≤ 1.0.1 #13

Description:

Proof of Concept:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerability: Arbitrary File Read and Deserialization in dataCompare ≤ 1.0.1 #13

Description

Description:

Proof of Concept:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions