]> git.koha-community.org Git - koha.git/commit
Bug 17902: Fix possible SQL injection in serials editing
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 10 Jan 2017 17:06:51 +0000 (18:06 +0100)
committerMason James <mtj@kohaaloha.com>
Mon, 30 Jan 2017 22:55:18 +0000 (11:55 +1300)
commit635455cb00b2358eecb79f0516a0b9db2beb760a
tree6b09631c59567aa6f62de0dfa6b33e154c26a8fd
parentab7e841d4f713c784a853d009df420fe707f4aa0
Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f42dbd67d1b960906fd2b98560e7e3724452bce9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
C4/Serials.pm