ReportPortal
ReportPortal
Home | Profile | Register | Active Topics | Members | Search | FAQ
 All Forums
 ReportPortal General Forum
 Report Portal General Issues
 SQL Injection at documentation

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!

Screensize:
UserName:
Password:
Message:

* HTML is ON
* Forum Code is OFF
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
Check here to subscribe to this topic.
   

T O P I C    R E V I E W
gumbarros Posted - 04/05/2023 : 10:03:50
https://www.reportportal.com/help/UrlSdk/Code/ReportList.aspx.vb.htm

You can execute any SQL command if a atacker modify sFolderId and sReportType.

If sFolderId <> "" Then

sSql += " WHERE FolderId = " & sFolderId

ElseIf sReportType <> "" Then

sSql += " WHERE ReportType = " & sReportType

End If
1   L A T E S T    R E P L I E S    (Newest First)
admin Posted - 04/05/2023 : 13:20:15
Good point. THE API documentation should says:

sSql += " WHERE FolderId = " & cint(sFolderId)

and

sSql += " WHERE ReportType = " & cint(sReportType)

ReportPortal © 2000-2002 Snitz Communications Go To Top Of Page