SQL Injection Vulnerability in OopsSec Store via X-Forwarded-For Header

A SQL injection vulnerability has been identified in the OopsSec Store application, exploitable through the HTTP X-Forwarded-For header. The visitor tracking component uses this header without validation to insert data into an SQLite database via an unsafe SQL query ($queryRawUnsafe). Exploitation allows injecting malicious SQL code, such as '||(SELECT 'message')||', and retrieving a flag (OSS{x_f0rw4rd3d_f0r_sql1}). The flaw can also be combined with a stored XSS by injecting JavaScript through the same header, which executes when an administrator views the analytics. The vulnerable code uses string concatenation to build the SQL query and does not validate the IP format.