> What steps will reproduce the problem?
1. Open admin generated list
http://mysite.com/NetTiers/Admin/lsit.aspx
2. put a single quote ' in the search textbox and execute search
3. be amazed by error message :
Server Error in '/NetTiers.Website' Application.
--------------------------------------------------------------------------------
Unclosed quotation mark after the character string ' ORDER BY [Field] DESC'.
Incorrect syntax near ' ORDER BY [Field] DESC'.
4. Play with custom queries
'; DELETE FROM TABLE ; UPDATE TABLE ; --
> What is the expected output? What do you see instead?
There should be a list of records, there is a SQLException
instead leading to a SQL Injection.
> What version of .netTiers and CodeSmith are you using?
latest from source
> Please use labels and text to provide additional information.
Attached is a patch fixing this specific security bug.
Original issue reported on code.google.com by luc.duch...@gmail.com on 6 Dec 2013 at 8:40
Original issue reported on code.google.com by
luc.duch...@gmail.com
on 6 Dec 2013 at 8:40Attachments: