]> git.koha-community.org Git - koha.git/commit
Bug 17902: Fix possible SQL injection in serials editing
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 10 Jan 2017 17:06:51 +0000 (18:06 +0100)
committerJulian Maurice <julian.maurice@biblibre.com>
Tue, 31 Jan 2017 08:30:40 +0000 (09:30 +0100)
commit00ab72b2f65f6973d3033454db6806502ba53f60
tree7c11c1ed6d15a74f9633a5aaae1d6281f2020d7e
parent392b65534d5bac0da6882eb9bbf8aa3829d0ee2a
Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f42dbd67d1b960906fd2b98560e7e3724452bce9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 14e2c2e5f70dc24a0621545aac8a1f8c568331d3)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
C4/Serials.pm