We've received a third-party vulnerability report that the order parameter on the records view is vulnerable to SQL injection. I've verified that we're up to date (version 2.6.3) on the site reported, so the earlier SQL injection vulnerability via the extent parameter has been patched.
This can be verified on a site with Neatline installed by appending /neatline/records?order=if(now()=sysdate()%2Csleep(10)%2C0) to the base url for the site. That executes an SQL command to sleep for 5 seconds, resulting in a 5 second delay when loading the page.
Can this input be sanitized to prevent SQL injection attacks?
We've received a third-party vulnerability report that the
order
parameter on therecords
view is vulnerable to SQL injection. I've verified that we're up to date (version 2.6.3) on the site reported, so the earlier SQL injection vulnerability via theextent
parameter has been patched.This can be verified on a site with Neatline installed by appending
/neatline/records?order=if(now()=sysdate()%2Csleep(10)%2C0)
to the base url for the site. That executes an SQL command to sleep for 5 seconds, resulting in a 5 second delay when loading the page.Can this input be sanitized to prevent SQL injection attacks?