BID:52418

Aurora WebOPAC 'txtEmailAliasBarcode' Parameter SQL Injection Vulnerability

Info

Aurora WebOPAC 'txtEmailAliasBarcode' Parameter SQL Injection Vulnerability

Bugtraq ID:	52418
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 12 2012 12:00AM
Updated:	Mar 19 2015 09:32AM
Credit:	Niket Khosla from Sense of Security Labs.
Vulnerable:	Aurora Information Technology Aurora WebOPAC 3.5.3 Aurora Information Technology Aurora WebOPAC 3.5.2.2 Aurora Information Technology Aurora WebOPAC 3.5.0i Aurora Information Technology Aurora WebOPAC 3.5.0e Aurora Information Technology Aurora WebOPAC 3.4.7b Aurora Information Technology Aurora WebOPAC 3.4.6a

Not Vulnerable:

Discussion

Aurora WebOPAC 'txtEmailAliasBarcode' Parameter SQL Injection Vulnerability

Aurora WebOPAC is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Exploit / POC

Aurora WebOPAC 'txtEmailAliasBarcode' Parameter SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

Solution / Fix

Aurora WebOPAC 'txtEmailAliasBarcode' Parameter SQL Injection Vulnerability

Solution:
Updates are available. Please see the references for more details.

References

Aurora WebOPAC 'txtEmailAliasBarcode' Parameter SQL Injection Vulnerability

References:

Aurora WebOPAC Homepage (Aurora Information Technology)
Aurora WebOPAC SQL Injection - Security Advisory - SOS-12-004 ([email protected])