Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0036239Openbravo ERP09. Financial managementpublic2017-06-13 08:582017-06-16 19:02
alostale 
collazoandy4 
immediatemajorhave not tried
closedfixed 
5
 
3.0PR17Q3 
aferraz
Core
No
0036239: Security problem in Create Budget Reports in Excel report
SQL injection security problem in Create Budget Reports in Excel report.

Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^]
-
No tags attached.
depends on backport 00362513.0PR17Q2.1 closed collazoandy4 Security problem in Create Budget Reports in Excel report 
depends on backport 00362523.0PR17Q1.2 closed collazoandy4 Security problem in Create Budget Reports in Excel report 
blocks design defect 0038136 acknowledged platform Tracking issue: Find & Fix queries not using bind-params but embedding values into query string 
Issue History
2017-06-13 08:58alostaleNew Issue
2017-06-13 08:58alostaleAssigned To => Triage Finance
2017-06-13 08:58alostaleModules => Core
2017-06-13 08:58alostaleTriggers an Emergency Pack => No
2017-06-13 09:03alostalePrioritynormal => immediate
2017-06-13 09:08alostaleIssue Monitored: alostale
2017-06-13 13:12aferrazSummaryCVE-2017-9437 => Security problem in Create Budget Reports in Excel report
2017-06-13 13:12aferrazDescription Updatedbug_revision_view_page.php?rev_id=15352#r15352
2017-06-14 11:33aferrazAssigned ToTriage Finance => collazoandy4
2017-06-14 11:34aferrazStatusnew => scheduled
2017-06-15 09:17hgbotCheckin
2017-06-15 09:17hgbotNote Added: 0097405
2017-06-15 09:17hgbotStatusscheduled => resolved
2017-06-15 09:17hgbotResolutionopen => fixed
2017-06-15 09:17hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/f2ee792f14ff145dc05f47f0a7c3c089dbcb3823 [^]
2017-06-15 10:07aferrazReview Assigned To => aferraz
2017-06-15 10:07aferrazNote Added: 0097408
2017-06-15 10:07aferrazStatusresolved => closed
2017-06-15 10:07aferrazFixed in Version => 3.0PR17Q3
2017-06-16 19:02hudsonbotCheckin
2017-06-16 19:02hudsonbotNote Added: 0097460
2019-06-11 09:09alostaleRelationship addedblocks 0038136

Notes
(0097405)
hgbot   
2017-06-15 09:17   
Repository: erp/devel/pi
Changeset: f2ee792f14ff145dc05f47f0a7c3c089dbcb3823
Author: Armaignac <collazoandy4 <at> gmail.com>
Date: Wed Jun 14 11:47:03 2017 -0400
URL: http://code.openbravo.com/erp/devel/pi/rev/f2ee792f14ff145dc05f47f0a7c3c089dbcb3823 [^]

Fixes issue 36239: Security problem in Create Budget Reports in Excel report

SQL injection security problem in Create Budget Reports in Excel report.
A UUID filter was added to check the params cAccountId and inpcAcctSchemaId.

---
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
---
(0097408)
aferraz   
2017-06-15 10:07   
Code review OK
(0097460)
hudsonbot   
2017-06-16 19:02   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/38c05e8441a9 [^]
Maturity status: Test