/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*
The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
return unless ($subscription and @$statuses);
return unless ($subscription and @$statuses);
- my $statuses_string = join ',', @$statuses;
-
my $dbh = C4::Context->dbh;
my $dbh = C4::Context->dbh;
SELECT serialid,serialseq, status, planneddate, publisheddate,
publisheddatetext, notes, routingnotes
FROM serial
SELECT serialid,serialseq, status, planneddate, publisheddate,
publisheddatetext, notes, routingnotes
FROM serial
- WHERE subscriptionid=$subscription AND status IN ($statuses_string)
+ WHERE subscriptionid=?
+ |
+ . q| AND status IN (| . join( ",", ('?') x @$statuses ) . ")" . q|)|
+ . q|
ORDER BY publisheddate,serialid DESC
ORDER BY publisheddate,serialid DESC
$debug and warn "GetSerials2 query: $query";
my $sth = $dbh->prepare($query);
$debug and warn "GetSerials2 query: $query";
my $sth = $dbh->prepare($query);
+ $sth->execute( $subscription, @$statuses );
my @serials;
while ( my $line = $sth->fetchrow_hashref ) {
my @serials;
while ( my $line = $sth->fetchrow_hashref ) {