APF-Tracker

Adventure PHP Framework Issue Management


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000306GORM[Adventure PHP Framework] Sicherheit // Securitypublic2016-07-20 15:402016-07-30 10:26
Reporterthalo1 
Assigned ToChristianAchatz 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
Product Version[Adventure PHP Framework] 3.2 
Target Version[Adventure PHP Framework] 3.3Fixed in Version[Adventure PHP Framework] 3.3 
Summary0000306: GORM - SQL Injection Vulnerability
DescriptionInadequate filtering of GenericDomainObject::getObjectID() leads to a SQL Injection vulnerability.

Affected methods:

deleteObject
saveObject
loadRelatedObjects
loadNotRelatedObjects
loadRelationMultiplicity
createAssociation
deleteAssociation
deleteAssociations
isAssociated
isComposed
Tagsgorm
Codereferenz: ([Datei]:[Zeile])
Attached Files

- Relationships

-  Notes
(0000734)
ChristianAchatz (administrator)
2016-07-21 14:44

Hey Thalo,

thanks for filing a defect. I'll take care of improving the filtering.

Christian
(0000735)
ChristianAchatz (administrator)
2016-07-25 21:51

Still working on it. Trying to cover changes with tests...
(0000736)
ChristianAchatz (administrator)
2016-07-30 10:25

Fixed SQL injection issue. See changes under https://github.com/AdventurePHP/code/commit/7650e38aca093dd59762b2872b89e2dbf655de75. [^]

- Issue History
Date Modified Username Field Change
2016-07-20 15:40 thalo1 New Issue
2016-07-20 15:41 thalo1 Tag Attached: gorm
2016-07-21 14:43 ChristianAchatz Summary GORM - SQL Injection Vulnerabilitie => GORM - SQL Injection Vulnerability
2016-07-21 14:43 ChristianAchatz Description Updated View Revisions
2016-07-21 14:44 ChristianAchatz Note Added: 0000734
2016-07-21 14:44 ChristianAchatz Assigned To => ChristianAchatz
2016-07-21 14:44 ChristianAchatz Status new => assigned
2016-07-25 21:51 ChristianAchatz Note Added: 0000735
2016-07-30 10:25 ChristianAchatz Note Added: 0000736
2016-07-30 10:25 ChristianAchatz Status assigned => resolved
2016-07-30 10:25 ChristianAchatz Fixed in Version => 3.3
2016-07-30 10:25 ChristianAchatz Resolution open => fixed
2016-07-30 10:26 ChristianAchatz Target Version => 3.3


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker