CallLogDAO in SIP Plugin enables SQL Injection

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.6.1
Component/s: Plugins
Labels:
None
Environment:

All

Acceptance Test - Add?:
No

Description

CallLogDAO in SIP Plugin is using prepared Statements.
But still inserting SQL Query values in the initialization String.

The values MUST be inserted in the prepared Statement via PreparedStatement Instance to prevent SQL Injection.

Issue Links

is related to

JM-629 Additional cross-site scripting bugs in login

JM-1489 Authentication bypass allowing arbitrary code execution

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Guus der Kinderen added a comment - 11/10/08 02:17 PM

This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

Show

Guus der Kinderen added a comment - 11/10/08 02:17 PM This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

Hide

Permalink

Guus der Kinderen added a comment - 11/12/08 09:41 AM

I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.

Show

Guus der Kinderen added a comment - 11/12/08 09:41 AM I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.

People

Assignee:

Thiago Rocha Camargo

Reporter:

Thiago Rocha Camargo

Vote (1)

Watch (1)

Dates

Created:

11/10/08 02:00 PM

Updated:

11/14/08 08:35 AM

Resolved:

11/14/08 08:35 AM

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified