View Issue Details

IDProjectCategoryView StatusLast Update
0000306GORM[Adventure PHP Framework] Sicherheit // Securitypublic2016-07-30 10:26
Reporterthalo1Assigned ToChristianAchatz 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version[Adventure PHP Framework] 3.2 
Target Version[Adventure PHP Framework] 3.3Fixed in Version[Adventure PHP Framework] 3.3 
Summary0000306: GORM - SQL Injection Vulnerability
DescriptionInadequate filtering of GenericDomainObject::getObjectID() leads to a SQL Injection vulnerability.

Affected methods:

deleteObject
saveObject
loadRelatedObjects
loadNotRelatedObjects
loadRelationMultiplicity
createAssociation
deleteAssociation
deleteAssociations
isAssociated
isComposed
Tagsgorm
Codereferenz: ([Datei]:[Zeile])

Activities

ChristianAchatz

2016-07-21 14:44

administrator   ~0000734

Hey Thalo,

thanks for filing a defect. I'll take care of improving the filtering.

Christian

ChristianAchatz

2016-07-25 21:51

administrator   ~0000735

Still working on it. Trying to cover changes with tests...

ChristianAchatz

2016-07-30 10:25

administrator   ~0000736

Fixed SQL injection issue. See changes under https://github.com/AdventurePHP/code/commit/7650e38aca093dd59762b2872b89e2dbf655de75.

Issue History

Date Modified Username Field Change
2016-07-20 15:40 thalo1 New Issue
2016-07-20 15:41 thalo1 Tag Attached: gorm
2016-07-21 14:43 ChristianAchatz Summary GORM - SQL Injection Vulnerabilitie => GORM - SQL Injection Vulnerability
2016-07-21 14:43 ChristianAchatz Description Updated View Revisions
2016-07-21 14:44 ChristianAchatz Note Added: 0000734
2016-07-21 14:44 ChristianAchatz Assigned To => ChristianAchatz
2016-07-21 14:44 ChristianAchatz Status new => assigned
2016-07-25 21:51 ChristianAchatz Note Added: 0000735
2016-07-30 10:25 ChristianAchatz Note Added: 0000736
2016-07-30 10:25 ChristianAchatz Status assigned => resolved
2016-07-30 10:25 ChristianAchatz Fixed in Version => 3.3
2016-07-30 10:25 ChristianAchatz Resolution open => fixed
2016-07-30 10:26 ChristianAchatz Target Version => 3.3