Report Portal
Home
Download
Customers
Customers
Testimonials
Reviews
Resources
Tutorial
Documentation
Support
Forum
FAQ
Services
Company
About us
News/Events
Contact us
Resellers
Live Demo
ReportPortal
Home
|
Profile
|
Register
|
Active Topics
|
Members
|
Search
|
FAQ
All Forums
ReportPortal General Forum
Report Portal General Issues
SQL Injection at documentation
Note:
You must be registered in order to post a reply.
To register,
click here
. Registration is FREE!
Screensize:
640 x 480
800 x 600
1024 x 768
1280 x 1024
UserName:
Password:
Anti-Spam Code:
Message:
* HTML is ON
* Forum Code is OFF
Smilies
[quote][i]Originally posted by gumbarros[/i] [br]https://www.reportportal.com/help/UrlSdk/Code/ReportList.aspx.vb.htm You can execute any SQL command if a atacker modify sFolderId and sReportType. If sFolderId <> "" Then sSql += " WHERE FolderId = " & sFolderId ElseIf sReportType <> "" Then sSql += " WHERE ReportType = " & sReportType End If [/quote]
Check here to include your profile signature.
Check here to subscribe to this topic.
T O P I C R E V I E W
gumbarros
Posted - 04/05/2023 : 10:03:50
https://www.reportportal.com/help/UrlSdk/Code/ReportList.aspx.vb.htm
You can execute any SQL command if a atacker modify sFolderId and sReportType.
If sFolderId <> "" Then
sSql += " WHERE FolderId = " & sFolderId
ElseIf sReportType <> "" Then
sSql += " WHERE ReportType = " & sReportType
End If
1 L A T E S T R E P L I E S (Newest First)
admin
Posted - 04/05/2023 : 13:20:15
Good point. THE API documentation should says:
sSql += " WHERE FolderId = " & cint(sFolderId)
and
sSql += " WHERE ReportType = " & cint(sReportType)
ReportPortal
© 2000-2002 Snitz Communications