]> git.koha-community.org Git - koha.git/commit
Bug 17902: Fix possible SQL injection in serials editing
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 10 Jan 2017 17:06:51 +0000 (18:06 +0100)
committerKyle M Hall <kyle@bywatersolutions.com>
Mon, 30 Jan 2017 12:08:31 +0000 (12:08 +0000)
commit904716f581102887c27d5bfc727430564cc12284
tree61fdc4ea8a074b5d38a0c0600288a37e3c7c2dd9
parente2d1bafa22f213658fc040d541534299c126bd1b
Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
C4/Serials.pm