Security Advisory: Aurora WebOPAC; SQL Injection
Aurora WebOPAC SQL Injection – Security Advisory – Sense of Security: SOS-12-004
Aurora WebOPAC is an online library system which allows users to perform tasks, such as reservations, renewal of books, search the catalogue, etc. During an application penetration test Sense of Security identified
that Aurora WebOPAC suffers from SQL injection vulnerabilities in MemberDetailsRecovery.aspx, as it fails to validate data supplied in the ‘txtEmailAliasBarcode’ variable before being used in a SQL query.
Release Date: 12-Mar-2012
Vendor Notification Date: 24-Nov-2011
Product: Aurora WebOPAC
3.5.0e, 3.4.6a, 3.5.3, 3.5.0 3.4.7b, 188.8.131.52, 3.4.7b, possibly others
Severity Rating: High
Impact: Exposure of sensitive information
Attack Vector: remote execution without authentication
Solution Status: Vendor patch
CVE reference: CVE – not yet assigned
The vendor has advised that Patch R.3.5.3 is available, and should be applied to fix the issue.
Niket Khosla from Sense of Security Labs.