Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-849

SQL Injection

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 1.0 B4
    • 1.0 B3
    • None
    • None

    Description

      It's possible to inject SQL queries.
      Trying to search trough Main.WebSearch something like (quotes included) ' or 1=1 or 1=' make this query to be run on the database server :

      select distinct xwikidocum0_.XWD_WEB as col_0_0_, xwikidocum0_.XWD_NAME as col_1_0_ from xwikido
      c xwikidocum0_, xwikiobjects baseobject1_, xwikistrings stringprop2_ inner join xwikiproperties
      stringprop2_1_ on stringprop2_.XWS_ID=stringprop2_1_.XWP_ID and stringprop2_.XWS_NAME=stringprop
      2_1_.XWP_NAME where baseobject1_.XWO_NAME=xwikidocum0_.XWD_FULLNAME and stringprop2_.XWS_ID=base
      object1_.XWO_ID and (stringprop2_.XWS_VALUE like '%') or 1=1 or 1='%'

      Attachments

        Activity

          People

            sdumitriu Sergiu Dumitriu
            raffaello Raffaello Pelagalli
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: