Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-1769

columnName argument to AssetModel.searchAssets allows SQL injection

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 1.2.8
    • 1.9.90
    • Assets
    • Security Level: Default (Default Security Scheme)
    • None
    • Operating System: All
      Platform: All
    • 1694

    Description

      The columnName argument to searchAssets in org.opennms.web.asset.AssetModel is inserted into an SQL
      query without any checking, allowing SQL injection attacks.

      An attempt to fix it was made in revision 3893, but was commented-out in revision 4042 because it didn't
      allow some of the existing uses of searchAssets.

      I stumbled back upon this while searching for something else, and I'm adding this bug so I don't forget.

      Attachments

        Issue Links

          Activity

            People

              seth Seth Leger
              dgregor DJ Gregor
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: