New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticated SQL Injection in show_groups_popup.php #1215
Comments
|
SQL binding is needed there. |
|
Hello @tmccormi can I work on this Issue? |
|
by all means
Tony McCormick
Medical Information Integration
…On Tue, Nov 6, 2018, 7:07 PM Onyemenam Ndubuisi ***@***.*** wrote:
Hello @tmccormi <https://github.com/tmccormi> can I work on this Issue?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1215 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AARciy6LxNsK6Vs_hrYKKoFhLAxKNTOXks5usk6LgaJpZM4Va5NN>
.
--
Please
be aware that e-mail communication can be intercepted in
transmission
or misdirected. Please consider communicating any sensitive
information
by telephone. The information contained in this message may
be
privileged and confidential. If you are NOT the intended recipient,
please notify the sender immediately with a copy to
hipaa-security@mrsb-ltd.com <mailto:hipaa-security@mrsb-ltd.com> and
destroy this message.
|
|
@prondubuisi Shall I send you a project invitation so I can assign you to this? |
|
Yes @aethelwulffe |
|
@prondubuisi I have added you as a read-collaborator. Pick up your invite. @teryhill look at all our permissions. I amped up write access for a couple more of our collaborators that have been contributing for over a year, and have been helping with review or other tasks outside of a GSOC type program setting. |
|
Hi :) |
|
Hello @NicoleG25 this is fixed already. Looks like you are interested in security would be very happy to have a chat, what is this all about CVE-2018-1000650 |
|
@muarachmann can we close this? |
Gladly, I'll email you privately :) |
|
Hello @muarachmann can this issue be closed since it is fixed already? I am looking at picking up more security related issues in the coming days! |
The Issue
SQL Injections are vulnerabilities in which the developer overly trusts user controlled input. This allows an attacker to perform malicious queries upon the database, which can lead to compromise of all data within the database and question the integrity of the data.
An attacker must be authenticated to perform this attack.
Where the Issue Occurred
The following code snippet shows the SQL query being created with a tainted variable:
lh-ehr/interface/super/show_groups_popup.php
Lines 51 to 52 in cacaa71
The following code snippet show the above-mentioned SQL query being executed:
lh-ehr/interface/super/show_groups_popup.php
Line 53 in cacaa71
The text was updated successfully, but these errors were encountered: