CallLogDAO in SIP Plugin enables SQL Injection

Description

CallLogDAO in SIP Plugin is using prepared Statements.
But still inserting SQL Query values in the initialization String.

The values MUST be inserted in the prepared Statement via PreparedStatement Instance to prevent SQL Injection.

Environment

All

Linked work items

is related to

JM-1489

Authentication bypass allowing arbitrary code execution

JM-629

Additional cross-site scripting bugs in login

Activity

Show:

Guus der Kinderen
November 12, 2008 at 3:41 PM

I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.

Guus der Kinderen
November 10, 2008 at 8:17 PM

This should fix problem #2 as described in http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

Resize issue view side panel

Fixed

Details

Assignee

Thiago Rocha Camargo

Reporter

Thiago Rocha Camargo

Original estimate

Time tracking

No time logged4h remaining

Components

Fix versions

3.6.1

Priority

Major

Created November 10, 2008 at 8:00 PM

Updated November 14, 2008 at 2:35 PM

Resolved November 14, 2008 at 2:35 PM