[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

security advisory

Subject: security advisory
From: "Armaghan Saqib" <..hidden..>
Date: Wed, 24 Oct 2007 18:42:07 -0700

I was just browsing the sql-ledger.org when I noticed this.

"A false security advisory about a SQL injection vulnerability in
SQL-Ledger has been posted by the maintainer of the fork ledgersmb.

It is impossible to pass a SQL command via the invoice quantity
because the string is converted from a formatted number to a number
the SQL server will understand and multiplied by 1.

Any string passed in the invoice quantity field either yields a value
or 0 (zero) before it hits the db. "

When I went through SL code, it seems true.

So is it possible that this advisory applies to a past SL version or
there is some other way to confirm this?

Regards
--
Armaghan Saqib
http://www.ledger123.com/

Follow-Ups:
- Re: security advisory
  - From: Chris Travers

Prev by Date: Re: How these tags are working: <?lsmb DATE ?>
Next by Date: Re: security advisory
Previous by thread: reversing a customer invoice
Next by thread: Re: security advisory
Index(es):
- Date
- Thread