Achievo/ATK - Bug 368 – Possible sql insertion problem

Bug 368 - Possible sql insertion problem

Summary:

Possible sql insertion problem

Status:	RESOLVED FIXED

Product:	ATK
Component:	Security
Version:	SVN
Platform:	All All

Importance:	P1 critical
Assigned To:	Ivo Jansch

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2004-10-18 13:41 by Ivo Jansch
Modified:	2004-10-23 00:10 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Ivo Jansch 2004-10-18 13:41:14

The login screen does not escape the value entered for the username. Arbitrary
SQL code can be entered in the password check code.

The password is checked separately from retrieving the userinfo, so login
without a password is not possible, but it is nevertheless 'dangerous' that
arbitrary code ends up in the where clause.

------- Comment #1 From Sandy Pleyte 2004-10-23 00:10:14 -------

This is fixed in cvs.

Format For Printing
- XML
- Clone This Bug
- Top of page