Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-1769

columnName argument to AssetModel.searchAssets allows SQL injection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.2.8
    • Fix Version/s: 1.9.90
    • Component/s: Assets
    • Security Level: Default (Default Security Scheme)
    • Labels:
      None
    • Environment:
      Operating System: All
      Platform: All
    • Bugzilla Id:
      1694

      Description

      The columnName argument to searchAssets in org.opennms.web.asset.AssetModel is inserted into an SQL
      query without any checking, allowing SQL injection attacks.

      An attempt to fix it was made in revision 3893, but was commented-out in revision 4042 because it didn't
      allow some of the existing uses of searchAssets.

      I stumbled back upon this while searching for something else, and I'm adding this bug so I don't forget.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                seth Seth Leger
                Reporter:
                dgregor DJ Gregor
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: