View Issue Details

IDProjectCategoryView StatusLast Update
0000127Bacula-Websecurity-issuepublic2016-04-17 15:44
ReporterphilippniedzielaAssigned Todavide 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version6.0.0 
Target Version6.0.1Fixed in Version6.0.1 
Summary0000127: XSS and SQL injection security issue
DescriptionReported by Philipp Niedziela

I've just tested bacula-web (atm I'm using webacula) and I found several security issues (XSS. SQL-Injections) eg. in /bacula-web/backupjob-report.php?backupjob_name=0%27<script>alert(1)</script>
Steps To ReproduceConnect to bacula-web using the url below

http://localhost/bacula-web/backupjob-report.php?backupjob_name=0%27<script>alert(1)</script>
Additional InformationThe CHttpRequest class need some code fixing
TagsNo tags attached.

Activities

davide

2014-05-01 15:42

manager   ~0000388

This problem is fixed and will be included in next release version

Issue History

Date Modified Username Field Change
2014-04-30 13:17 davide New Issue
2014-04-30 13:17 davide Status new => assigned
2014-04-30 13:17 davide Assigned To => davide
2014-04-30 13:31 davide Status assigned => confirmed
2014-05-01 15:42 davide Note Added: 0000388
2014-05-01 15:42 davide Status confirmed => resolved
2014-05-01 15:42 davide Fixed in Version => 6.0.1
2014-05-01 15:42 davide Resolution open => fixed
2014-12-09 16:18 davide Category security => feature/security
2016-04-17 15:40 davide Category feature/security => security-issue
2016-04-17 15:44 davide Status resolved => closed