Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/C4
History
Jonathan Druart 904716f581 Bug 17902: Fix possible SQL injection in serials editing 
/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 12:08:31 +00:00
..
AuthoritiesMarc
Barcodes
ClassSortRoutine Bug 16011: $VERSION - Remove use vars qw(); 2016-03-24 17:20:39 +00:00
Creators
External
Form
Heading
ILSDI
Installer
Labels Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
Linker Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
Members
OAI
Output
Patroncards
Reports
Search
Serials
SIP Bug 17196: Move marcxml out of the biblioitems table 2017-01-13 13:49:26 +00:00
Utils
Accounts.pm
Acquisition.pm
Auth.pm Bug 9569: Security patch for AutoLocation 2017-01-30 11:25:06 +00:00
Auth_cas_servers.yaml.sample
Auth_with_cas.pm Bug 17481: Fix incorrect merge of bug 11048 (logout redirection for CAS authentication) 2016-11-07 16:34:57 +00:00
Auth_with_ldap.pm
Auth_with_shibboleth.pm
AuthoritiesMarc.pm
BackgroundJob.pm
Barcodes.pm
Biblio.pm Bug 17196: [QA Follow-up] Adjust some text on marcxml 2017-01-13 13:49:30 +00:00
Bookseller.pm Bug 13726: Make Koha::Acq::Bookseller using Koha::Object 2016-12-30 11:54:32 +00:00
Boolean.pm Bug 16011: $VERSION - Remove the $VERSION init 2016-03-24 17:20:28 +00:00
Breeding.pm
Budgets.pm
Calendar.pm
Charset.pm
Circulation.pm
ClassSortRoutine.pm
ClassSource.pm
Context.pm
Contract.pm Bug 16011: $VERSION - Remove comments 2016-03-24 17:20:29 +00:00
CourseReserves.pm
Creators.pm Bug 16011: $VERSION - Remove the $VERSION init 2016-03-24 17:20:28 +00:00
Debug.pm
Heading.pm
HoldsQueue.pm
HTML5Media.pm
Images.pm
ImportBatch.pm
ImportExportFramework.pm
InstallAuth.pm Bug 16011: $VERSION - Remove comments 2016-03-24 17:20:29 +00:00
Installer.pm
ItemCirculationAlertPreference.pm
Items.pm Bug 17196: [QA Follow-up] Adjust some text on marcxml 2017-01-13 13:49:30 +00:00
Koha.pm Bug 15803: Koha::AuthorisedValues - Remove C4::Koha::GetAuthorisedValueCategories 2016-10-28 16:35:52 +00:00
Labels.pm
Languages.pm
Letters.pm Bug 17904: Fix possible SQL injection in late orders 2017-01-30 11:22:33 +00:00
Linker.pm Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
Log.pm Bug 14642: Add logging for Holds 2016-08-17 18:43:13 +00:00
MarcModificationTemplates.pm
Matcher.pm Bug 14629 - Add aggressive ISSN matching feature equivalent to the aggressive ISBN matcher 2016-10-28 11:58:14 +00:00
Members.pm
Message.pm
NewsChannels.pm
Output.pm
Overdues.pm Bug 17196: Move marcxml out of the biblioitems table 2017-01-13 13:49:26 +00:00
Patroncards.pm Bug 16011: $VERSION - Remove the $VERSION init 2016-03-24 17:20:28 +00:00
Print.pm
Record.pm
Reports.pm
Reserves.pm
Ris.pm
RotatingCollections.pm
Scheduler.pm
Scrubber.pm
Search.pm
Serials.pm Bug 17902: Fix possible SQL injection in serials editing 2017-01-30 12:08:31 +00:00
Service.pm
ShelfBrowser.pm
SMS.pm
SocialData.pm
Stats.pm
Suggestions.pm
Tags.pm Bug 16637: Dependency for C4::Tags not listed 2016-06-10 18:05:10 +00:00
Templates.pm
TmplToken.pm
TmplTokenType.pm
TTParser.pm
UsageStats.pm
XISBN.pm
XSLT.pm Bug 17642: Add and use get_descriptions_by_koha_field 2016-11-18 15:52:00 +00:00