Headline
CVE-2015-10091: Bug 14521: SQL injection in local use system preferences · bywatersolutions/bywater-koha-xslt@9513b93
A vulnerability has been found in ByWater Solutions bywater-koha-xslt and classified as critical. This vulnerability affects the function StringSearch of the file admin/systempreferences.pl. The manipulation of the argument name leads to sql injection. The attack can be initiated remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The name of the patch is 9513b93c828dfbc4413f9e0df63647401aaf4e58. It is recommended to apply a patch to fix this issue. VDB-222322 is the identifier assigned to this vulnerability.
Permalink
Browse files
Bug 14521: SQL injection in local use system preferences
This patch fixes a SQL injection vulnerability in the local use system preferences.
_TEST PLAN_
Before applying:
Go to Global System Preferences
Click on the “Local use” tab
Add a new preference with the value "’) or ‘1’ = ‘1’ – " (be sure to include the space at the end after the comment --).
When the page refreshes, you should now see about 99 other system preferences which shouldn’t be showing up.
Apply the patch
Refresh the page
Note that you now only see a system preference for "’) or ‘1’ = ‘1’ – " and the other actual local use system preferences.
Signed-off-by: Chris Cormack [email protected]
Signed-off-by: Jonathan Druart [email protected] Signed-off-by: Tomas Cohen Arazi [email protected] (cherry picked from commit a72262a) Signed-off-by: Chris Cormack [email protected] Signed-off-by: Liz Rea [email protected]
- Loading branch information