DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14286>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14286 SQL Injection Vulnerability in DatabaseAuthenticatorAction Summary: SQL Injection Vulnerability in DatabaseAuthenticatorAction Product: Cocoon 2 Version: Current CVS Platform: All OS/Version: All Status: NEW Severity: Major Priority: Other Component: core AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The code (in head as well as 2.0.3) is dynamically building sql select statement, does not use PreparedStatement, and does no input validation. The exploit is easily reproducible by entering a string such as Donald Ball'; DROP TABLE employee; as the user name in the form at /samples/protected/login. The vulnerability of course is not limited to the example, but would apply to anyone using DatabaseAuthenticatorAction. SOLUTION: Use PreparedStatement. The code seems to be largely based on DatabaseSelectAction which uses PreparedStatement. Is it a reasonable solution to make DatabaseAuthenticatorAction extend DatabaseSelectAction, call super.act () and introduce only the extra functionality needed? Unfortunately, I am unable to work on this at the moment. Geoff Howard --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
