itsourcecode Online Public Access Catalog OPAC SQL Injection Vulnerability

A SQL injection vulnerability has been identified in itsourcecode Online Public Access Catalog (OPAC) version 1.0. The issue resides in the 'mysearch.php' file, specifically within the POST parameter handler. The vulnerability arises because user input from the 'search_field' and 'search_text' parameters is not properly sanitized before being incorporated into SQL queries. This flaw allows remote attackers to manipulate the input and execute malicious SQL commands, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for multiple forms of SQL injection, including boolean-based blind, time-based blind, and UNION-based injection techniques. This could enable attackers to enumerate database contents and exfiltrate sensitive data.

Reproduction

To reproduce this vulnerability, send a POST request to 'mysearch.php' with crafted 'search_field' and 'search_text' parameters. The absence of input validation allows for the injection of malicious SQL, which can be exploited using various SQL injection techniques.