Openfire (ARCHIVED)
  1. Openfire (ARCHIVED)
  2. JM-1488

CallLogDAO in SIP Plugin enables SQL Injection

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.1
    • Component/s: Plugins
    • Labels:
      None
    • Environment:

      All

      Description

      CallLogDAO in SIP Plugin is using prepared Statements.
      But still inserting SQL Query values in the initialization String.

      The values MUST be inserted in the prepared Statement via PreparedStatement Instance to prevent SQL Injection.

        Issue Links

          Activity

          Hide
          Guus der Kinderen added a comment -

          This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

          Show
          Guus der Kinderen added a comment - This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt
          Hide
          Guus der Kinderen added a comment -

          I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.

          Show
          Guus der Kinderen added a comment - I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.

            People

            • Assignee:
              Thiago Rocha Camargo
              Reporter:
              Thiago Rocha Camargo
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development