PMB SQL Injection Scanner

The PMB software is an Integrated Library management System (ILS) widely used in libraries for electronic cataloging and managing library services. It is designed to assist librarians, users, and developers who seek a free alternative to proprietary library management systems. PMB offers a comprehensive suite of features that streamline library operations and improve access to information. Libraries worldwide utilize PMB to manage their inventories, handle user loans, and provide updated catalog data to patrons. The system can be installed on various platforms and is popular for its open-source nature, empowering libraries to customize and enhance their digital cataloging processes. PMB also encourages collaborative development and innovation by being freely accessible to a community of library professionals and developers.

The SQL Injection vulnerability in PMB allows attackers to manipulate SQL queries through unsanitized user inputs. This vulnerability occurs when an application does not validate or sanitize user-supplied data before using it in an SQL query, leading to unauthorized database access. By exploiting this flaw, attackers may execute arbitrary SQL code within the application's database query, gaining unauthorized access to critical database information. Time-based SQLi, in particular, leverages sleep functions to confirm the presence of a vulnerability by delaying responses under controlled conditions. Such vulnerabilities are critical as they can lead to data breaches and unauthorized disclosure of sensitive library patron data.

The vulnerability specifically targets unsanitized parameters in HTTP requests, potentially seen in the 'datetime' and 'id' parameters of PMB’s 'ajax.php' script. This vulnerability proves detrimental when input data gets directly passed to the SQL database, forming queries with these inputs without adequately sanitizing or parameterizing them. The 'SLEEP' SQL function is exploitative here; when an operand passes through the vulnerability, it deliberately pauses the SQL execution process. As PMB processes AJAX requests, an attack involving the 'AND SELECT SLEEP()' method could confirm a vulnerable status by causing intentional query delays without additional user interaction. Therefore, inputs need validating and securing with prepared statements or stored procedures to minimize such risks. Additionally, error messages disclosing SQL structure must be managed effectively to avoid information leaks.

If exploited, this SQL Injection vulnerability could lead to unauthorized access to the PMB database, exposure of confidential user and library data, and possible manipulation of stored information. Attackers might obtain library user credentials, hijack user sessions, or cause service disruptions by erasing or corrupting critical data records. A successful attack could also lead to escalation of user privileges, potentially providing further unauthorized access within the library management system. Libraries affected by such attacks could face reputational damage, legal liabilities, and data protection compliance failures. Immediate action to patch this vulnerability is essential to protect digital assets and maintain trusted library services.

REFERENCES

• https://www.exploit-db.com/exploits/51197
• https://vulners.com/exploitdb/EDB-ID:51197