[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security advisory



Hmmm.....

Wow....

Looks like half of the security advisory is bad.  I am looking through
my notes to determine what went wrong.  It wasn't the qty field but
rather the name field in the search :-(  Looks like I owe Dieter a
public appology and clarification.

However the sort field (in the same advisory) is still exploitable :-(
on both systems.....

Best Wishes,
Chris Travers

On 10/24/07, Armaghan Saqib <..hidden..> wrote:
> I was just browsing the sql-ledger.org when I noticed this.
>
> "A false security advisory about a SQL injection vulnerability in
> SQL-Ledger has been posted by the maintainer of the fork ledgersmb.
>
> It is impossible to pass a SQL command via the invoice quantity
> because the string is converted from a formatted number to a number
> the SQL server will understand and multiplied by 1.
>
> Any string passed in the invoice quantity field either yields a value
> or 0 (zero) before it hits the db. "
>
> When I went through SL code, it seems true.
>
> So is it possible that this advisory applies to a past SL version or
> there is some other way to confirm this?
>
> Regards
> --
> Armaghan Saqib
> http://www.ledger123.com/
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Ledger-smb-users mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
>