ReportPortal
ReportPortal
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 ReportPortal General Forum
 Report Portal General Issues
 SQL Injection at documentation
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

gumbarros

1 Posts

Posted - 04/05/2023 :  10:03:50  Show Profile  Reply with Quote
https://www.reportportal.com/help/UrlSdk/Code/ReportList.aspx.vb.htm

You can execute any SQL command if a atacker modify sFolderId and sReportType.

If sFolderId <> "" Then

sSql += " WHERE FolderId = " & sFolderId

ElseIf sReportType <> "" Then

sSql += " WHERE ReportType = " & sReportType

End If

Edited by - gumbarros on 04/05/2023 10:15:16

admin

1637 Posts

Posted - 04/05/2023 :  13:20:15  Show Profile  Reply with Quote
Good point. THE API documentation should says:

sSql += " WHERE FolderId = " & cint(sFolderId)

and

sSql += " WHERE ReportType = " & cint(sReportType)
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
ReportPortal © 2000-2002 Snitz Communications Go To Top Of Page