From b0bb1b0aa60071950a39b1c1b9e9ec145b304086 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 13 Jan 2017 16:46:51 +0100 Subject: [PATCH] Bug 17904: Fix possible SQL injection in late orders To recreate: /cgi-bin/koha/acqui/lateorders.plop=send_alert&ordernumber=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0 Notice the delay. The SQL query is not constructed correctly, placeholders must be used. This vulnerability has been reported by MDSec. Signed-off-by: Mirko Tietgen Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall --- C4/Letters.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/C4/Letters.pm b/C4/Letters.pm index d62f8278f5..f6802cef43 100644 --- a/C4/Letters.pm +++ b/C4/Letters.pm @@ -478,10 +478,10 @@ sub SendAlerts { carp "No order selected"; return { error => "no_order_selected" }; } - $strsth .= join( ",", @$externalid ) . ")"; + $strsth .= join( ",", ('?') x @$externalid ) . ")"; $action = "ACQUISITION CLAIM"; $sthorders = $dbh->prepare($strsth); - $sthorders->execute; + $sthorders->execute( @$externalid ); $dataorders = $sthorders->fetchall_arrayref( {} ); } -- 2.39.5