Potential Information leakage via SQL

billchen198318 / bamboobsc

next version move to https://github.com/billchen198318/hillfog, bambooBSC is an opensource Balanced Scorecard (BSC) Business Intelligence (BI) Web platform. BSC's Vision, Perspectives, Objectives of strategy, Key Performance Indicators (KPIs), Strategy Map, and SWOT, PDCA & PDCA report, Time Series Analysis.

Apache License 2.0

227 stars 109 forks source link

Potential Information leakage via SQL #37

Closed hurray456 closed 7 years ago

hurray456 commented 7 years ago

Hy,

there is a way to leak information of the database. While using the Query Chart even unprivileged users can execute SQL-commands through the query expression field. An attacker can retrieve every dataset, user-names and even hashed passwords. A fix would be to shut off or limit the usage of the plain query field.

best regards.

billchen198318 commented 7 years ago

config Role and authority settings https://github.com/billchen198318/bamboobsc/blob/master/core-doc/dev-docs/06-RoleAndAuthoritySettings.md
settings Menu settings for Role https://github.com/billchen198318/bamboobsc/blob/master/core-doc/dev-docs/05-ProgramRegistrationAndMenuSettings.md