Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0036252
TypeCategorySeverityReproducibilityDate SubmittedLast Update
backport[Openbravo ERP] 09. Financial managementmajorhave not tried2017-06-13 08:582017-06-15 10:08
ReporteralostaleView Statuspublic 
Assigned Tocollazoandy4 
PriorityimmediateResolutionfixedFixed in Version3.0PR17Q1.2
StatusclosedFix in branchFixed in SCM revision140153ba6306
ProjectionnoneETAnoneTarget Version3.0PR17Q1.2
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Toaferraz
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0036252: Security problem in Create Budget Reports in Excel report

DescriptionSQL injection security problem in Create Budget Reports in Excel report.

Problem is how ReportBudgetGenerateExcel.printPageDataExcel method creates the query. Parameters are appended to the query without being parsed to avoid SQL injection.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9437 [^]
Steps To Reproduce-
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
blocks defect 0036239 closedcollazoandy4 Security problem in Create Budget Reports in Excel report 

-  Notes
(0097403)
hgbot (developer)
2017-06-15 09:14

Repository: erp/backports/3.0PR17Q1.2
Changeset: 140153ba6306875c34e26979ad8d3bebae3f7e9b
Author: Armaignac <collazoandy4 <at> gmail.com>
Date: Wed Jun 14 11:47:03 2017 -0400
URL: http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^]

Fixes issue 36252: Security problem in Create Budget Reports in Excel report

SQL injection security problem in Create Budget Reports in Excel report.
A UUID filter was added to check the params cAccountId and inpcAcctSchemaId.

---
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
---
(0097410)
aferraz (manager)
2017-06-15 10:08

Code review OK

- Issue History
Date Modified Username Field Change
2017-06-14 11:34 aferraz Type defect => backport
2017-06-14 11:34 aferraz Target Version => 3.0PR17Q1.2
2017-06-15 09:14 hgbot Checkin
2017-06-15 09:14 hgbot Note Added: 0097403
2017-06-15 09:14 hgbot Status scheduled => resolved
2017-06-15 09:14 hgbot Resolution open => fixed
2017-06-15 09:14 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/backports/3.0PR17Q1.2/rev/140153ba6306875c34e26979ad8d3bebae3f7e9b [^]
2017-06-15 10:08 aferraz Review Assigned To => aferraz
2017-06-15 10:08 aferraz Note Added: 0097410
2017-06-15 10:08 aferraz Status resolved => closed
2017-06-15 10:08 aferraz Fixed in Version => 3.0PR17Q1.2


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker