Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability was discovered in MRCMS #16

Closed
QiAnXinCodeSafe opened this issue Sep 21, 2018 · 2 comments
Closed

SQL injection vulnerability was discovered in MRCMS #16

QiAnXinCodeSafe opened this issue Sep 21, 2018 · 2 comments

Comments

@QiAnXinCodeSafe
Copy link

Hi all,
There are a SQL injection vulnerability found by Qihoo360 CodeSafe Team.
Details as bellow:
The getChannel method in the ChannelService. java file is used directly to hash and run SQL statements without filtering parameters, resulting in SQL injection。
default
Continuous tracing can be found that the getChannel method is invoked in WebApp.java.
default
View WebParam.get () method
default
When param is empty (that is the first time), a param will be constructed , view the constructor.
default
You can see that all attributes in WebParam are obtained from request and are controlled by attackers.

@wuweiit
Copy link
Owner

wuweiit commented Sep 21, 2018

我不懂为什么要用英文描述这个注入bug,但我很高兴去解决这个问题的,感谢Qihoo360 CodeSafe Team.

@wuweiit
Copy link
Owner

wuweiit commented Sep 21, 2018

最新源码已修复该 bug

@wuweiit wuweiit closed this as completed Sep 21, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants