WellSky Harmony SQL Injection Vulnerability in Login Functionality

A SQL injection vulnerability has been identified in WellSky Harmony version 4.1.0.2.83, specifically within the 'xmHarmony.asp' login endpoint. The vulnerability arises because user input in the 'TXTUSERID' parameter is not properly sanitized before being included in a SQL query. This flaw could allow attackers to bypass authentication, access sensitive data, or fully compromise the backend database.

Impact

Exploitation of this vulnerability could lead to authentication bypass, unauthorized access to application functionality, and full compromise of the backend database, including the ability to retrieve, modify, or delete data. In some cases, it may allow access to sensitive information such as user records or personally identifiable information.

Reproduction

To reproduce this vulnerability, send a crafted HTTP request to the 'xmHarmony.asp' login endpoint, including SQL control characters or expressions in the 'TXTUSERID' parameter. The lack of input sanitization will allow the SQL injection to be executed, potentially bypassing authentication and accessing restricted data or functionality.

Remediation

WellSky Harmony is end-of-life, and no vendor patch is available. It is recommended to restrict network access to the application, remove public internet exposure, and enforce VPN or management-network access. Implement a Web Application Firewall to block SQL injection attempts, enhance monitoring and logging for web and database access, and ensure the application database account has least privilege. If a vendor patch becomes available, apply it promptly and verify in a test environment.