Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0036252Openbravo ERP09. Financial managementpublic2017-06-13 08:582017-06-15 10:08
Reporteralostale 
Assigned Tocollazoandy4 
PriorityimmediateSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target Version3.0PR17Q1.2Fixed in Version3.0PR17Q1.2 
Merge Request Status
Review Assigned Toaferraz
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0036252: Security problem in Create Budget Reports in Excel report
DescriptionSQL injection security problem in Create Budget Reports in Excel report.

Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^]
Steps To Reproduce-
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
blocks defect 0036239 closed collazoandy4 Security problem in Create Budget Reports in Excel report 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2017-06-14 11:34aferrazTypedefect => backport
2017-06-14 11:34aferrazTarget Version => 3.0PR17Q1.2
2017-06-15 09:14hgbotCheckin
2017-06-15 09:14hgbotNote Added: 0097403
2017-06-15 09:14hgbotStatusscheduled => resolved
2017-06-15 09:14hgbotResolutionopen => fixed
2017-06-15 09:14hgbotFixed in SCM revision => http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^]
2017-06-15 10:08aferrazReview Assigned To => aferraz
2017-06-15 10:08aferrazNote Added: 0097410
2017-06-15 10:08aferrazStatusresolved => closed
2017-06-15 10:08aferrazFixed in Version => 3.0PR17Q1.2

Notes
(0097403)
hgbot   
2017-06-15 09:14   
Repository: erp/backports/3.0PR17Q1.2
Changeset: 140153ba6306875c34e26979ad8d3bebae3f7e9b
Author: Armaignac <collazoandy4 <at> gmail.com>
Date: Wed Jun 14 11:47:03 2017 -0400
URL: http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^]

Fixes issue 36252: Security problem in Create Budget Reports in Excel report

SQL injection security problem in Create Budget Reports in Excel report.
A UUID filter was added to check the params cAccountId and inpcAcctSchemaId.

---
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
---
(0097410)
aferraz   
2017-06-15 10:08   
Code review OK