Bugtracker

Fri, 07 May 2004 15:55:20 -0700

I have some remarks about the Bugtracker templates:
 
- In the code in the Bugtracker "method=pagelogon" is not used for admin logon. When I read the documentation this could be a security error.
- Checking the logon of a user with account='$account' AND password='$password' seems to be sensitive for sql infusion. You can get
password=' ' OR '1'='1'. An additional compare of the values could solve this.
 
Martijn Houtman

Reply via email to