SirsiDynix Horizon Information Portal SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the SirsiDynix Horizon Information Portal (IPAC20) versions 3.25_9382 and 3.24_7488, with other versions potentially affected. The vulnerability arises from a flaw in the 'ipac.jsp' file, where the 'uri=' variable in the 'full=' inner variable is vulnerable to injection. This flaw allows an unauthenticated attacker to execute malicious SQL commands, gaining unauthorized read access to the database.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, with the potential to read sensitive data from the database. In the tested environment, the vulnerability could be exploited to retrieve MSSQL login hashes.

Reproduction

The vulnerability can be reproduced by sending a crafted request to 'ipac.jsp' with an injected SQL payload in the 'uri=' variable. The injection can be performed via GET or POST methods, with the payload URL-encoded. The injected SQL code is executed on the database, and in the tested case, the response included the MSSQL server version, indicating successful exploitation.

Remediation

A patch is available from SirsiDynix. Users are advised to contact the vendor to ensure they have the latest update.