[Koha-bugs] [Bug 19061] New: sql injection vulnerability in cash_register_stats.pl
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Aug 8 12:39:44 CEST 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19061
Bug ID: 19061
Summary: sql injection vulnerability in cash_register_stats.pl
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Reports
Assignee: koha-bugs at lists.koha-community.org
Reporter: colin.campbell at ptfs-europe.com
QA Contact: testopia at bugs.koha-community.org
two parameters are embedded in the sql statement executed by this report, so
that sending a single quote as the value for branch generates a return of a
mysql error. Parameters should always be passed via placeholders in the
statement and as parameters to the exec call.
While not a major vulnerability this will be picked up by penetration testing
scripts
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list