slub.team team mailing list archive

[Henning Gerhardt <938517@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Private security bug reported:

In file src/de/sub/goobi/forms/LoginForm.java method Einloggen() Line
104 is a possible SQL injection source. A login value (login name) is
directly submitted into database without proper escaping. Described like
in http://blog.harpoontech.com/2008/10/how-to-avoid-sql-injection-in-
hibernate.html. There are some guidelines to prevent SQL injections into
hibernate like https://www.owasp.org/index.php/Hibernate-Guidelines

** Affects: goobi-production
     Importance: Critical
         Status: New

-- 
You received this bug notification because you are a member of Saxon
State Library Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/938517

Title:
  SQL injection on login form

Status in Goobi.Production:
  New

Bug description:
  In file src/de/sub/goobi/forms/LoginForm.java method Einloggen() Line
  104 is a possible SQL injection source. A login value (login name) is
  directly submitted into database without proper escaping. Described
  like in http://blog.harpoontech.com/2008/10/how-to-avoid-sql-
  injection-in-hibernate.html. There are some guidelines to prevent SQL
  injections into hibernate like https://www.owasp.org/index.php
  /Hibernate-Guidelines

To manage notifications about this bug go to:
https://bugs.launchpad.net/goobi-production/+bug/938517/+subscriptions