Hi all,
There are a SQL injection vulnerability found by Qihoo360 CodeSafe Team.
Details as bellow:
The getChannel method in the ChannelService. java file is used directly to hash and run SQL statements without filtering parameters, resulting in SQL injection。
Continuous tracing can be found that the getChannel method is invoked in WebApp.java.
View WebParam.get () method
When param is empty (that is the first time), a param will be constructed , view the constructor.
You can see that all attributes in WebParam are obtained from request and are controlled by attackers.
Hi all, There are a SQL injection vulnerability found by Qihoo360 CodeSafe Team. Details as bellow: The getChannel method in the ChannelService. java file is used directly to hash and run SQL statements without filtering parameters, resulting in SQL injection。 Continuous tracing can be found that the getChannel method is invoked in WebApp.java. View WebParam.get () method When param is empty (that is the first time), a param will be constructed , view the constructor. You can see that all attributes in WebParam are obtained from request and are controlled by attackers.