Information Security all in one place!

Security Advisory: Aurora WebOPAC; SQL Injection

 Aurora WebOPAC SQL Injection – Security Advisory –  Sense of Security: SOS-12-004

Aurora WebOPAC is an online library system which allows users to perform tasks, such as reservations, renewal of books, search the catalogue, etc. During an application penetration test Sense of Security identified
that Aurora WebOPAC suffers from SQL injection vulnerabilities in MemberDetailsRecovery.aspx, as it fails to validate data supplied in the ‘txtEmailAliasBarcode’ variable before being used in a SQL query.

Release Date: 12-Mar-2012
Last Update
Vendor Notification Date: 24-Nov-2011
Product: Aurora WebOPAC
Platform: Independent
Affected versions:

3.5.0e, 3.4.6a, 3.5.3, 3.5.0 3.4.7b, 3.5.2.2, 3.4.7b, possibly others
Severity Rating:  High
Impact: Exposure of sensitive information
Attack Vector: remote execution without authentication
Solution Status: Vendor patch
CVE reference: CVE – not yet assigned

Solution:
The vendor has advised that Patch R.3.5.3 is available, and should be applied to fix the issue.

Discovered by:
Niket Khosla from Sense of Security Labs.

Advertisements

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s