The SQL-based catalogs are vulnerable to SQL injection from query string parameters.

What version of the product are you using? On what operating system? 1.5.61

Reported by Ward van Wanrooij.

Released v1.5.62 that limits the range of characters that can be used as parameter values. The default regex pattern is now this:

^[a-zA-Z0-9\.\/\:\_\-]*$

This default can be overridden by adding am AbstractCatalog.paramRegex property to the configuration file with a custom regex pattern.

The updated oaicat.jar file can be downloaded from here:

https://oaicat.googlecode.com/files/oaicat-1.5.62.tar.gz

The change for this is done now.

This fix breaks support for resumption tokes, as they include the exclamation mark by default.

Use this in the properties file to fix it:

AbstractCatalog.paramRegex=^[a-zA-Z0-9\.\/\:\_\-!]*$