Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Cannot Reproduce
Priority: Major
Fix Version/s: None
Affects Version/s: 1.0 RC1
Component/s: Storage
Labels:
None

keywords:
security
Development Priority:
High
Similar issues:

Description

Reported by Pablo Oliveira:

It's possible for a user to modify the HQL that gets executed (in the Login form or in Search forms for example). For example, it's possible, in the login form type the following instead of the user name:

\'  )   AND 5=BENCHMARK(1000000000,MD5(CHAR(116)))  --

This example will keep the SQL server busy for a long time...

Attachments

Activity

People

Assignee:: CalebJamesDeLisle

Reporter:: Vincent Massol

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 22/Apr/07 19:35

Updated:: 02/Dec/22 11:20

Resolved:: 20/Sep/10 13:55

Date of First Response:: 20/Sep/10 1:55 PM