Uploaded image for project: 'Openfire (ARCHIVED)'
  1. Openfire (ARCHIVED)
  2. JM-1488

CallLogDAO in SIP Plugin enables SQL Injection

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.1
    • Component/s: Plugins
    • Labels:
      None
    • Environment:

      All

      Description

      CallLogDAO in SIP Plugin is using prepared Statements.
      But still inserting SQL Query values in the initialization String.

      The values MUST be inserted in the prepared Statement via PreparedStatement Instance to prevent SQL Injection.

        Attachments

          Issue Links

            Activity

            Hide
            guus Guus der Kinderen added a comment -

            This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

            Show
            guus Guus der Kinderen added a comment - This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt
            Hide
            guus Guus der Kinderen added a comment -

            I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.

            Show
            guus Guus der Kinderen added a comment - I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.

              People

              • Assignee:
                thiago Thiago Rocha Camargo
                Reporter:
                thiago Thiago Rocha Camargo
              • Votes:
                1 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: