[JM-1488] CallLogDAO in SIP Plugin enables SQL Injection Created: 10/Nov/08  Updated: 14/Nov/08  Resolved: 14/Nov/08

Status: Closed
Project: Openfire (ARCHIVED)
Components: Plugins
Affects versions: None
Fix versions: 3.6.1

Type: Bug Priority: Major
Reporter: Thiago Rocha Camargo Assignee: Thiago Rocha Camargo
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: 4 hours
Time Spent: Not Specified
Original estimate: 4 hours
Environment:

All

Issue links:
Related to
is related to JM-629 Additional cross-site scripting bugs ... Closed
is related to JM-1489 Authentication bypass allowing arbitr... Closed

 Description   

CallLogDAO in SIP Plugin is using prepared Statements.
But still inserting SQL Query values in the initialization String.

The values MUST be inserted in the prepared Statement via PreparedStatement Instance to prevent SQL Injection.

 Comments   
Comment by Guus der Kinderen [ 10/Nov/08 ]

This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

Comment by Guus der Kinderen [ 12/Nov/08 ]

I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.

Generated at Thu Apr 25 05:32:45 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100251-rev:2d0d695520e7095763476433152508933e579798.