You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafodion.apache.org by "Alice Chen (JIRA)" <ji...@apache.org> on 2015/07/22 20:15:35 UTC

[jira] [Created] (TRAFODION-308) LP Bug: 1323874 - sql-security REGISTER USER possible SQL injection security issue

Alice Chen created TRAFODION-308:
------------------------------------

             Summary: LP Bug: 1323874 - sql-security REGISTER USER possible SQL injection security issue
                 Key: TRAFODION-308
                 URL: https://issues.apache.org/jira/browse/TRAFODION-308
             Project: Apache Trafodion
          Issue Type: Bug
          Components: sql-security
            Reporter: Paul Low
            Assignee: Roberta Marton
            Priority: Critical


The username from the REGISTER USER command is plugged directly into SQL statement.  The command fails.  The error shows the failed internal SQL statement that is executed.


-bash-4.1$ trafci.sh -h localhost:28200 -u trafodion -p traf

Welcome to Trafodion Command Interface
Copyright(C) 2013-2014 Hewlett-Packard Development Company, L.P.

Host Name/IP Address: localhost:28200
User Name: trafodion

Connected to Trafodion

SQL> Register user paullow1 as "last-first\'qa1003";

*** ERROR[15005] Unmatched quote in input (unterminated string):
select count(*) from TRAFODION."_MD_".AUTHS where auth_db_name = 'LAST-FIRST\'QA1003'; [2014-05-27 20:25:22]

SQL>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)