You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafodion.apache.org by "Alice Chen (JIRA)" <ji...@apache.org> on 2015/07/22 20:15:35 UTC
[jira] [Created] (TRAFODION-308) LP Bug: 1323874 - sql-security
REGISTER USER possible SQL injection security issue
Alice Chen created TRAFODION-308:
------------------------------------
Summary: LP Bug: 1323874 - sql-security REGISTER USER possible SQL injection security issue
Key: TRAFODION-308
URL: https://issues.apache.org/jira/browse/TRAFODION-308
Project: Apache Trafodion
Issue Type: Bug
Components: sql-security
Reporter: Paul Low
Assignee: Roberta Marton
Priority: Critical
The username from the REGISTER USER command is plugged directly into SQL statement. The command fails. The error shows the failed internal SQL statement that is executed.
-bash-4.1$ trafci.sh -h localhost:28200 -u trafodion -p traf
Welcome to Trafodion Command Interface
Copyright(C) 2013-2014 Hewlett-Packard Development Company, L.P.
Host Name/IP Address: localhost:28200
User Name: trafodion
Connected to Trafodion
SQL> Register user paullow1 as "last-first\'qa1003";
*** ERROR[15005] Unmatched quote in input (unterminated string):
select count(*) from TRAFODION."_MD_".AUTHS where auth_db_name = 'LAST-FIRST\'QA1003'; [2014-05-27 20:25:22]
SQL>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)