[JM-1488] CallLogDAO in SIP Plugin enables SQL Injection Created: 10/Nov/08 Updated: 14/Nov/08 Resolved: 14/Nov/08 |
|
Status: | Closed |
Project: | Openfire (ARCHIVED) |
Components: | Plugins |
Affects versions: | None |
Fix versions: | 3.6.1 |
Type: | Bug | Priority: | Major |
Reporter: | Thiago Rocha Camargo | Assignee: | Thiago Rocha Camargo |
Resolution: | Fixed | Votes: | 1 |
Labels: | None | ||
Remaining Estimate: | 4 hours | ||
Time Spent: | Not Specified | ||
Original estimate: | 4 hours | ||
Environment: |
All |
Issue links: |
|
Description |
CallLogDAO in SIP Plugin is using prepared Statements. The values MUST be inserted in the prepared Statement via PreparedStatement Instance to prevent SQL Injection. |
Comments |
Comment by Guus der Kinderen [ 10/Nov/08 ] |
This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt |
Comment by Guus der Kinderen [ 12/Nov/08 ] |
I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue. |