Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0036239
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] 09. Financial managementmajorhave not tried2017-06-13 08:582017-06-16 19:02
ReporteralostaleView Statuspublic 
Assigned Tocollazoandy4 
PriorityimmediateResolutionfixedFixed in Version3.0PR17Q3
StatusclosedFix in branchFixed in SCM revisionf2ee792f14ff
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Toaferraz
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0036239: Security problem in Create Budget Reports in Excel report

DescriptionSQL injection security problem in Create Budget Reports in Excel report.

Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^]
Steps To Reproduce-
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
depends on backport 00362513.0PR17Q2.1 closedcollazoandy4 Security problem in Create Budget Reports in Excel report 
depends on backport 00362523.0PR17Q1.2 closedcollazoandy4 Security problem in Create Budget Reports in Excel report 
blocks design defect 0038136 acknowledgedTriage Platform Base Tracking issue: Find & Fix queries not using bind-params but embedding values into query string 

-  Notes
(0097405)
hgbot (developer)
2017-06-15 09:17

 Repository: erp/devel/pi
Changeset: f2ee792f14ff145dc05f47f0a7c3c089dbcb3823
Author: Armaignac <collazoandy4 <at> gmail.com>
Date: Wed Jun 14 11:47:03 2017 -0400
URL: http://code.openbravo.com/erp/devel/pi/rev/f2ee792f14ff145dc05f47f0a7c3c089dbcb3823 [^]

Fixes issue 36239: Security problem in Create Budget Reports in Excel report

SQL injection security problem in Create Budget Reports in Excel report.
A UUID filter was added to check the params cAccountId and inpcAcctSchemaId.

---
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
---
(0097408)
aferraz (manager)
2017-06-15 10:07

 Code review OK
(0097460)
hudsonbot (developer)
2017-06-16 19:02

 A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/38c05e8441a9 [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2017-06-13 08:58 alostale New Issue
2017-06-13 08:58 alostale Assigned To => Triage Finance
2017-06-13 08:58 alostale Modules => Core
2017-06-13 08:58 alostale Triggers an Emergency Pack => No
2017-06-13 09:03 alostale Priority normal => immediate
2017-06-13 09:08 alostale Issue Monitored: alostale
2017-06-13 13:12 aferraz Summary CVE-2017-9437 => Security problem in Create Budget Reports in Excel report
2017-06-13 13:12 aferraz Description Updated View Revisions
2017-06-14 11:33 aferraz Assigned To Triage Finance => collazoandy4
2017-06-14 11:34 aferraz Status new => scheduled
2017-06-15 09:17 hgbot Checkin
2017-06-15 09:17 hgbot Note Added: 0097405
2017-06-15 09:17 hgbot Status scheduled => resolved
2017-06-15 09:17 hgbot Resolution open => fixed
2017-06-15 09:17 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/f2ee792f14ff145dc05f47f0a7c3c089dbcb3823 [^]
2017-06-15 10:07 aferraz Review Assigned To => aferraz
2017-06-15 10:07 aferraz Note Added: 0097408
2017-06-15 10:07 aferraz Status resolved => closed
2017-06-15 10:07 aferraz Fixed in Version => 3.0PR17Q3
2017-06-16 19:02 hudsonbot Checkin
2017-06-16 19:02 hudsonbot Note Added: 0097460
2019-06-11 09:09 alostale Relationship added blocks 0038136

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker