From 18cd96ece1e9b00e02b6851eca06053d10a57217 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 13 Jan 2017 16:40:59 +0100 Subject: [PATCH] Bug 17903: Fix possible SQL injection in serial claims To recreate: /cgi-bin/koha/serials/claims.pl?serialid=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0 Notice the delay. The SQL query is not constructed correctly, placeholders must be used. This vulnerability has been reported by MDSec. Signed-off-by: Mirko Tietgen Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall (cherry picked from commit 179ff58b0980f348821c727c2fa79a5eca310901) Signed-off-by: Katrin Fischer --- C4/Letters.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/C4/Letters.pm b/C4/Letters.pm index 3ff39b15f9..d62f8278f5 100644 --- a/C4/Letters.pm +++ b/C4/Letters.pm @@ -501,10 +501,10 @@ sub SendAlerts { return { error => "no_order_selected" }; } - $strsth .= join( ",", @$externalid ) . ")"; + $strsth .= join( ",", ('?') x @$externalid ) . ")"; $action = "CLAIM ISSUE"; $sthorders = $dbh->prepare($strsth); - $sthorders->execute; + $sthorders->execute( @$externalid ); $dataorders = $sthorders->fetchall_arrayref( {} ); } -- 2.39.5