|
From: | Florian HENRY |
Subject: | Re: [Dolibarr-dev] Bug report |
Date: | Thu, 10 Jul 2014 08:43:53 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 |
Hello,
This vulnerability was already send to us , I created a bug about it. And this one is already fix into 3.5 branch. https://doliforge.org/tracker/?func=detail&aid=1437&atid=246&group_id=144 https://github.com/Dolibarr/dolibarr/pull/1645 Deepak Rathore send us the information, but as I made some fix, but not all, he publish the issues. That the normal process. After that read what the exploit is : entity is not escaped and produce a SQL error message, and they says it can be a source of SQL injection... I understand the concept but, in this case, you can't have any SQL injection with sql request like "WHERE entity IN (0,".$entity)". Put what you want here, it will never produce a SQL injection of malicius data, at least is will give you an error message and th'at the case. Or If you know a way to really use this exploit please let me know, I want to learn how to hack application with this kind of exploit. There is tha same issue with sort order and sort field send by query string into list. It give an SQL error but if somebody can explain to me how insert or read data of a database just by hacking the "ORDER BY " instruction, you'll maka my day. Regards Florian Henry +33 6 03 76 48 07 address@hidden http://www.open-concept.pro Twitter : @_Open_Concept_Le 08/07/2014 15:24, Maxime Kohlhaas a écrit :
|
[Prev in Thread] | Current Thread | [Next in Thread] |