MantisBT: master-1.2.x 7efe0175

Diff Back to Repository
Author Committer Branch Timestamp Parent
Paul Richards dregad master-1.2.x 2014-01-17 11:24 master-1.2.x 00b4c170
Affected Issues  0016880: CVE-2014-1609: SQL injection vulnerabilities
Changeset

Fix CVE-2014-1609: SQL injection vulnerabilities

Additional cases of db_query() instead of db_query_bound() usage,
potentially allowing SQL injection attacks due to unsanitized use of
parameters within the query.

This includes vboctor's 2 comments.

Fixes 0016880

Signed-off-by: Damien Regad dregad@mantisbt.org

Conflicts:
admin/db_stats.php
plugins/MantisGraph/pages/bug_graph_bycategory.php
plugins/MantisGraph/pages/bug_graph_bystatus.php
proj_doc_page.php
mod - admin/db_stats.php Diff File
mod - api/soap/mc_project_api.php Diff File
mod - core/news_api.php Diff File
mod - core/summary_api.php Diff File
mod - plugins/MantisGraph/core/graph_api.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_bycategory.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_bystatus.php Diff File
mod - proj_doc_page.php Diff File