[Secure-testing-team] Bug#637632: sql injection in package installer

Ansgar Burchardt ansgar at debian.org
Sat Aug 13 09:02:29 UTC 2011


Package: src:dtc
Version: 0.32.10-2
Severity: critical
Tags: security upstream

SQL injection in the package installer:

$q = "SELECT DISTINCT db.Db,db.User FROM mysql.user,mysql.db WHERE user.dtcowner='$adm_login' AND db .User=user.User AND db.Db='".$_REQUEST["database_name"]."';";

Ansgar





More information about the Secure-testing-team mailing list