0036252: Security problem in Create Budget Reports in Excel report

Description

SQL injection security problem in Create Budget Reports in Excel report.

Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^]

Steps To Reproduce

Tags

No tags attached.

Attached Files

Relationships [ Relation Graph ] [ Dependency Graph ]

blocks

defect

0036239

closed

collazoandy4

Security problem in Create Budget Reports in Excel report

Notes
(0097403) hgbot (developer) 2017-06-15 09:14	Repository: erp/backports/3.0PR17Q1.2 Changeset: 140153ba6306875c34e26979ad8d3bebae3f7e9b Author: Armaignac <collazoandy4 <at> gmail.com> Date: Wed Jun 14 11:47:03 2017 -0400 URL: http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^] Fixes issue 36252: Security problem in Create Budget Reports in Excel report SQL injection security problem in Create Budget Reports in Excel report. A UUID filter was added to check the params cAccountId and inpcAcctSchemaId. --- M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java ---

(0097410) aferraz (viewer) 2017-06-15 10:08	Code review OK

Issue History
Date Modified	Username	Field	Change
2017-06-14 11:34	aferraz	Type	defect => backport
2017-06-14 11:34	aferraz	Target Version	=> 3.0PR17Q1.2
2017-06-15 09:14	hgbot	Checkin
2017-06-15 09:14	hgbot	Note Added: 0097403
2017-06-15 09:14	hgbot	Status	scheduled => resolved
2017-06-15 09:14	hgbot	Resolution	open => fixed
2017-06-15 09:14	hgbot	Fixed in SCM revision	=> http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^]
2017-06-15 10:08	aferraz	Review Assigned To	=> aferraz
2017-06-15 10:08	aferraz	Note Added: 0097410
2017-06-15 10:08	aferraz	Status	resolved => closed
2017-06-15 10:08	aferraz	Fixed in Version	=> 3.0PR17Q1.2