Issue Details (XML | Word | Printable)

Key: JM-1488
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Thiago Rocha Camargo
Reporter: Thiago Rocha Camargo
Votes: 1
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
Openfire (ARCHIVED)

CallLogDAO in SIP Plugin enables SQL Injection

Created: 11/10/08 02:00 PM   Updated: 11/14/08 08:35 AM
Component/s: Plugins
Affects Version/s: None
Fix Version/s: 3.6.1

Time Tracking:
Original Estimate: 4 hours
Original Estimate - 4 hours
Remaining Estimate: 4 hours
Remaining Estimate - 4 hours
Time Spent: Not Specified
Remaining Estimate - 4 hours

Environment: All
Issue Links:
Related to

Resolution Date: 11/14/08 08:35 AM
Acceptance Test - Add?: No


 Description  « Hide
CallLogDAO in SIP Plugin is using prepared Statements.
But still inserting SQL Query values in the initialization String.

The values MUST be inserted in the prepared Statement via PreparedStatement Instance to prevent SQL Injection.

 All   Comments   Work Log   Change History   FishEye      Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Guus der Kinderen added a comment - 11/10/08 02:17 PM
This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

[ Permalink | « Hide ]
Guus der Kinderen added a comment - 11/12/08 09:41 AM
I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.


Powered by a free Atlassian JIRA open source license for igniterealtime.org. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.4-#354) - Bug/feature request - Atlassian news - Contact Administrators