https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19061

            Bug ID: 19061
           Summary: sql injection vulnerability in cash_register_stats.pl
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Reports
          Assignee: koha-bugs@lists.koha-community.org
          Reporter: colin.campb...@ptfs-europe.com
        QA Contact: testo...@bugs.koha-community.org

two parameters are embedded in the sql statement executed by this report,  so
that sending a single quote as the value for branch generates a return of a
mysql error. Parameters should always be passed via placeholders in the
statement and as parameters to the exec call.
While not a major vulnerability this will be picked up by penetration testing
scripts

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to