Anonymous | Login

Project:

News | My View | View Issues | Roadmap | Summary

View Issue Details[ Jump to Notes ]

[ Issue History ] [ Print ]

ID

0009145

Type

Category

Severity

Reproducibility

Date Submitted

Last Update

defect

[Openbravo ERP] 07. Sales management

major

have not tried

2009-05-22 18:14

2009-06-18 00:00

Reporter

shuehner

View Status

public

Assigned To

shuehner

Priority

urgent

Resolution

duplicate

Fixed in Version

Status

closed

Fix in branch

pi

Fixed in SCM revision

Projection

none

ETA

none

Target Version

OS

Any

Database

Any

Java version

OS Version

Database version

Ant version

Product Version

pi

SCM revision

Review Assigned To

Web browser

Modules

Core

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

No

Summary

0009145: SQL injection in Report Invoice Discount

Description

This report has an issue where it is possible to inject code into the executed SQL statement via crafted parameters

Tags

No tags attached.

Relationships [ Relation Graph ] [ Dependency Graph ]

duplicate of	defect	0009501		closed	shuehner	Audit all xsql to ensure that all xsql-parameters of type argument/replace are properly validated -part1
depends on	feature request	0009500		closed	shuehner	Add infrastructure to VariablesBase class to allow for technical validation of request parameters

Notes
(0016592) shuehner (administrator) 2009-05-22 18:16	likely also be present in 2.40

(0016601) rafaroda (developer) 2009-05-25 09:58	Stefan, Could you please give some steps to reproduce this issue? Thanks.

(0017396) shuehner (administrator) 2009-06-17 18:31	First commit into 9501 does include fix for this issue.

Issue History
Date Modified	Username	Field	Change
2009-05-22 18:14	shuehner	New Issue
2009-05-22 18:14	shuehner	Assigned To	=> rafaroda
2009-05-22 18:16	shuehner	Note Added: 0016592
2009-05-25 09:58	rafaroda	Note Added: 0016601
2009-05-25 09:58	rafaroda	Assigned To	rafaroda => shuehner
2009-05-25 09:58	rafaroda	Status	new => scheduled
2009-05-25 09:58	rafaroda	fix_in_branch	=> pi
2009-06-16 16:33	shuehner	Relationship added	depends on 0009500
2009-06-16 16:40	shuehner	Relationship added	blocks 0009501
2009-06-17 18:31	shuehner	Relationship replaced	duplicate of 0009501
2009-06-17 18:31	shuehner	Status	scheduled => closed
2009-06-17 18:31	shuehner	Note Added: 0017396
2009-06-17 18:31	shuehner	Duplicate ID	0 => 9501
2009-06-17 18:31	shuehner	Resolution	open => duplicate
2009-06-18 00:00	anonymous	sf_bug_id	0 => 2807995

Copyright © 2000 - 2009 MantisBT Group