]> git.koha-community.org Git - koha.git/commit
Bug 17902: Fix possible SQL injection in serials editing
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 10 Jan 2017 17:06:51 +0000 (18:06 +0100)
committerKatrin Fischer <katrin.fischer.83@web.de>
Mon, 30 Jan 2017 16:16:02 +0000 (17:16 +0100)
commit14e2c2e5f70dc24a0621545aac8a1f8c568331d3
treec3f559e5e113a0aee5ecd0afb7e973ff8f0f57ec
parent248e96030637585408831d9ff39f562b9f26278d
Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f42dbd67d1b960906fd2b98560e7e3724452bce9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
C4/Serials.pm