Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0036252Openbravo ERP09. Financial managementpublic2017-06-13 08:582017-06-15 10:08
alostale 
collazoandy4 
immediatemajorhave not tried
closedfixed 
5
 
3.0PR17Q1.23.0PR17Q1.2 
aferraz
Core
No
0036252: Security problem in Create Budget Reports in Excel report
SQL injection security problem in Create Budget Reports in Excel report.

Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^]
-
No tags attached.
blocks defect 0036239 closed collazoandy4 Security problem in Create Budget Reports in Excel report 
Issue History
2017-06-14 11:34aferrazTypedefect => backport
2017-06-14 11:34aferrazTarget Version => 3.0PR17Q1.2
2017-06-15 09:14hgbotCheckin
2017-06-15 09:14hgbotNote Added: 0097403
2017-06-15 09:14hgbotStatusscheduled => resolved
2017-06-15 09:14hgbotResolutionopen => fixed
2017-06-15 09:14hgbotFixed in SCM revision => http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^]
2017-06-15 10:08aferrazReview Assigned To => aferraz
2017-06-15 10:08aferrazNote Added: 0097410
2017-06-15 10:08aferrazStatusresolved => closed
2017-06-15 10:08aferrazFixed in Version => 3.0PR17Q1.2

Notes
(0097403)
hgbot   
2017-06-15 09:14   
Repository: erp/backports/3.0PR17Q1.2
Changeset: 140153ba6306875c34e26979ad8d3bebae3f7e9b
Author: Armaignac <collazoandy4 <at> gmail.com>
Date: Wed Jun 14 11:47:03 2017 -0400
URL: http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^]

Fixes issue 36252: Security problem in Create Budget Reports in Excel report

SQL injection security problem in Create Budget Reports in Excel report.
A UUID filter was added to check the params cAccountId and inpcAcctSchemaId.

---
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
---
(0097410)
aferraz   
2017-06-15 10:08   
Code review OK