From f68e2f242faaab5f01e1c215003f63b8a22168b6 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 13 Jan 2017 16:40:59 +0100 Subject: [PATCH] Bug 17903: Fix possible SQL injection in serial claims To recreate: /cgi-bin/koha/serials/claims.pl?serialid=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0 Notice the delay. The SQL query is not constructed correctly, placeholders must be used. This vulnerability has been reported by MDSec. Signed-off-by: Mirko Tietgen Signed-off-by: Marcel de Rooy Signed-off-by: Mason James --- C4/Letters.pm | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/C4/Letters.pm b/C4/Letters.pm index b08e10fd3f..a080378f65 100644 --- a/C4/Letters.pm +++ b/C4/Letters.pm @@ -477,9 +477,11 @@ sub SendAlerts { return { error => "no_order_selected" }; } - $strsth .= join( ",", @$externalid ) . ")"; + $strsth .= join( ",", ('?') x @$externalid ) . ")"; + my $sthorders = $dbh->prepare($strsth); - $sthorders->execute; + $sthorders->execute( @$externalid ); + my $dataorders = $sthorders->fetchall_arrayref( {} ); my $sthbookseller = -- 2.39.5