columnName argument to AssetModel.searchAssets allows SQL injection
Description
The columnName argument to searchAssets in org.opennms.web.asset.AssetModel is inserted into an SQL query without any checking, allowing SQL injection attacks.
An attempt to fix it was made in revision 3893, but was commented-out in revision 4042 because it didn't allow some of the existing uses of searchAssets.
I stumbled back upon this while searching for something else, and I'm adding this bug so I don't forget.
I think the possibility of an SQL injection was fixed long ago in this code. The class is currently using PreparedStatement for all SQL and the "category" column itself is passed through a SQL sanitizer function so it should not be a vector for SQL injection. Marking as fixed.
Benjamin Reed September 7, 2007 at 5:09 PM
Ping? This seem like a reasonable blocker for 1.8?
DJ Gregor June 3, 2007 at 12:08 AM
The bug for the checking code being enabled and not allowing searching of the "category" column is in .
DJ Gregor November 27, 2006 at 5:01 PM
Customer ran into this problem using WebUI->Assets->(Select any dropdown)->Search. This is the asset/index.jsp page. The problem also happens if you use the category option at element/index.jsp.
DJ Gregor November 27, 2006 at 4:42 PM
Note: the exception that we get when the checking code is enabled is this:
java.lang.IllegalArgumentException: Column "category" is not a valid column name at org.opennms.web.asset.AssetModel.searchAssets (AssetModel.java:226) at org.apache.jsp.nodelist_jsp._jspService (nodelist_jsp.java:66) ...
The columnName argument to searchAssets in org.opennms.web.asset.AssetModel is inserted into an SQL
query without any checking, allowing SQL injection attacks.
An attempt to fix it was made in revision 3893, but was commented-out in revision 4042 because it didn't
allow some of the existing uses of searchAssets.
I stumbled back upon this while searching for something else, and I'm adding this bug so I don't forget.