Issues » Blind SQL injection

Issue: SI-39
Date: Jan 17, 2017 11:30:00 AM
Severity: Critical
Requires Admin Access: No
Fix Version: 3.6.2
Credit: Ben Nott based on earlier findings of Elar Lang
Description:

SQL injection via Categories Servlet - does not require authentication.  The only concrete exploit we have at this time is against mySQL 5.5.   Since this string does get passed to the DB for evaluation, it is possible that an exploit of this vulnerability may be possible on other database engines.  We recommend everyone upgrade or take the necessary precautions.

Workaround:

Restrict URL pattern /categoriesServlet to your administrator's IP range.

Back to the top