There is a SQL injection vulnerability in the OATH part. The publicID parameter is under direct control of the attacker, and given directly to validateOATH method without any kind of filtering.

Parameterized statement is the proper way to fix this SQL injection. This idea has already been suggested (https://code.google.com/p/yubico-yubiserve/issues/detail?id=31) but was rejected. Indeed, the patch is not compatible with SQLite and MySQL because the paramstyle is different on each supported databases (SQLite, SQLite3 and MySQL).

This patch filters each field of the query string, and should fix this vulnerability.