Skip Menu |

This queue is for tickets about the CatalystX-CRUD CPAN distribution.

Report information
The Basics
Id: 51777
Status: resolved
Priority: 0/
Queue: CatalystX-CRUD
People
Owner: Nobody in particular
Requestors: cr2005 [...] u-club.de
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Nov 20 14:10:40 2009 cr2005 [...] u-club.de - Ticket created
Subject: CatalystX::CRUD::Model::Utils make_sql_query SQL injection
Hi! The CatalystX::CRUD::Model::Utils->make_sql_query is vulnerable for SQL injections. The query parameters aren't filtered properly. Example: Call your CatalystX::CRUD::Controller with this url http://hirnlego:3000/list?cxc-order=name%20id%3bdrop%0dtable%0dtest%0d%3bselect%0d1%0d-- will drop table 'test' from your DB.
  Fri Nov 20 14:47:05 2009 peter [...] peknet.com - Correspondence added
Subject: Re: [rt.cpan.org #51777] CatalystX::CRUD::Model::Utils make_sql_query SQL injection
Date: Fri, 20 Nov 2009 13:46:48 -0600
To: bug-CatalystX-CRUD [...] rt.cpan.org
From: Peter Karman <peter [...] peknet.com>
chris via RT wrote on 11/20/2009 01:10 PM: Show quoted text
> > The CatalystX::CRUD::Model::Utils->make_sql_query is vulnerable for > SQL injections. The query parameters aren't filtered properly.
Thanks. Sort::SQL 0.07 just uploaded to pause to address this issue. I have a couple other fixes to make for what will be CX::CRUD 0.46 and then I'll upload that with a new dep bump for Sort::SQL. -- Peter Karman . http://peknet.com/ . peter@peknet.com
  Fri Nov 20 14:47:06 2009 The RT System itself - Status changed from 'new' to 'open'
  Fri Nov 20 14:54:42 2009 karman [...] cpan.org - Correspondence added
version 0.46 just uploaded to pause.
  Fri Nov 20 14:54:43 2009 karman [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri Nov 20 16:30:33 2009 cr2005 [...] u-club.de - Correspondence added
Subject: Re: [rt.cpan.org #51777] CatalystX::CRUD::Model::Utils make_sql_query SQL injection
Date: Fri, 20 Nov 2009 22:30:16 +0100
To: bug-CatalystX-CRUD [...] rt.cpan.org
From: Christoph <cr2005 [...] u-club.de>
cool. I check it out as soon the mirrors synced tx chr peter@peknet.com via RT schrieb: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=51777 > > > chris via RT wrote on 11/20/2009 01:10 PM: >
>> The CatalystX::CRUD::Model::Utils->make_sql_query is vulnerable for >> SQL injections. The query parameters aren't filtered properly.
> > Thanks. Sort::SQL 0.07 just uploaded to pause to address this issue. > > I have a couple other fixes to make for what will be CX::CRUD 0.46 and > then I'll upload that with a new dep bump for Sort::SQL. > >
  Fri Nov 20 16:30:34 2009 The RT System itself - Status changed from 'resolved' to 'open'
  Fri Dec 04 21:46:09 2009 karman [...] cpan.org - Status changed from 'open' to 'resolved'