Report Portal
Home
Download
Customers
Customers
Testimonials
Reviews
Resources
Tutorial
Documentation
Support
Forum
FAQ
Services
Company
About us
News/Events
Contact us
Resellers
Live Demo
ReportPortal
Home
|
Profile
|
Register
|
Active Topics
|
Members
|
Search
|
FAQ
Username:
Password:
Save Password
Forgot your Password?
All Forums
ReportPortal General Forum
Report Portal General Issues
SQL Injection at documentation
New Topic
Reply to Topic
Printer Friendly
Author
Topic
gumbarros
1 Posts
Posted - 04/05/2023 : 10:03:50
https://www.reportportal.com/help/UrlSdk/Code/ReportList.aspx.vb.htm
You can execute any SQL command if a atacker modify sFolderId and sReportType.
If sFolderId <> "" Then
sSql += " WHERE FolderId = " & sFolderId
ElseIf sReportType <> "" Then
sSql += " WHERE ReportType = " & sReportType
End If
Edited by - gumbarros on 04/05/2023 10:15:16
admin
1637 Posts
Posted - 04/05/2023 : 13:20:15
Good point. THE API documentation should says:
sSql += " WHERE FolderId = " & cint(sFolderId)
and
sSql += " WHERE ReportType = " & cint(sReportType)
Topic
New Topic
Reply to Topic
Printer Friendly
Jump To:
Select Forum
ReportPortal General Forum
Report Portal Wish List
Report Portal Installation
Report Portal General Issues
Report Portal Build History
SQL Server General Issues
SQL Server Reporting Services (SSRS)
SQL Server Parallel Data Warehouse (PDW)
SQL Server Integration Services (SSIS)
SQL Server Data Services (SSDS)
SQL Server Analysis Services (SSAS)
Microsoft Business Intelligence (BI)
XMLA Browser
XMLA Browser for Microsoft SQL Server 2005
XMLA Browser for Microsoft SQL Server 2000
--------------------
Home
Active Topics
Frequently Asked Questions
Member Information
Search Page
ReportPortal
© 2000-2002 Snitz Communications