Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0036251Openbravo ERP09. Financial managementpublic2017-06-13 08:582017-06-15 10:08
Reporteralostale 
Assigned Tocollazoandy4 
PriorityimmediateSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target Version3.0PR17Q2.1Fixed in Version3.0PR17Q2.1 
Merge Request Status
Review Assigned Toaferraz
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0036251: Security problem in Create Budget Reports in Excel report
DescriptionSQL injection security problem in Create Budget Reports in Excel report.

Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^]
Steps To Reproduce-
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
blocks defect 0036239 closed collazoandy4 Security problem in Create Budget Reports in Excel report 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2017-06-14 11:34aferrazTypedefect => backport
2017-06-14 11:34aferrazTarget Version => 3.0PR17Q2.1
2017-06-15 09:15hgbotCheckin
2017-06-15 09:15hgbotNote Added: 0097404
2017-06-15 09:15hgbotStatusscheduled => resolved
2017-06-15 09:15hgbotResolutionopen => fixed
2017-06-15 09:15hgbotFixed in SCM revision => http://code.openbravo.com/erp/backports/3.0PR17Q2.1/rev/fc8d674b25c591ecba1803292c1a6f6bd80c2845 [^]
2017-06-15 10:08aferrazReview Assigned To => aferraz
2017-06-15 10:08aferrazNote Added: 0097409
2017-06-15 10:08aferrazStatusresolved => closed
2017-06-15 10:08aferrazFixed in Version => 3.0PR17Q2.1

Notes
(0097404)
hgbot   
2017-06-15 09:15   
Repository: erp/backports/3.0PR17Q2.1
Changeset: fc8d674b25c591ecba1803292c1a6f6bd80c2845
Author: Armaignac <collazoandy4 <at> gmail.com>
Date: Wed Jun 14 11:47:03 2017 -0400
URL: http://code.openbravo.com/erp/backports/3.0PR17Q2.1/rev/fc8d674b25c591ecba1803292c1a6f6bd80c2845 [^]

Fixes issue 36251: Security problem in Create Budget Reports in Excel report

SQL injection security problem in Create Budget Reports in Excel report.
A UUID filter was added to check the params cAccountId and inpcAcctSchemaId.

---
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
---
(0097409)
aferraz   
2017-06-15 10:08   
Code review OK