[Commotion-admin] [commotion-feed] SQL Injection in rhizome http service (#18)
areynold
notifications at github.com
Thu Oct 10 19:59:53 UTC 2013
The HTTP URL-Parameters are not sanitized in the when /rhizome/manifestbyprefix/ rhizome_http.c are requested.
Since SQLite is used as a DBMS, no grave security impact could be found in the context of this service. A cause for concern would arise if another DBMS was to be used, as it could lead to a potential command execution with the INTO OUTFILE statements. For this reason, the SQL parameters should be sanitized regardless of which DBMS is chosen, as a change may result in injections leading to information leakages.
---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/commotion-feed/issues/18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20131010/02466904/attachment.html>
More information about the Commotion-admin
mailing list