]> git.koha-community.org Git - koha.git/commit
Bug 17902: Fix possible SQL injection in serials editing
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 10 Jan 2017 17:06:51 +0000 (18:06 +0100)
committerKyle M Hall <kyle@bywatersolutions.com>
Mon, 30 Jan 2017 11:52:38 +0000 (11:52 +0000)
commit8924439054fec94acabef6045f21369117e528f0
tree61fdc4ea8a074b5d38a0c0600288a37e3c7c2dd9
parent93cc0956a923e94663ae74d1f435604844536571
Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
C4/Serials.pm