#262 Possible SQL injection in create_admin

Core (82)

The fDomains parameter to create_admin() is taken from POST data and interpolated in SQL without santitizing it, posing the risk of an SQL injection attack. The risk is probably low as the function is only available to global admins but even then they shouldn't be able to screw up the database or exploit further vulnerabilities in the DBMS.


  • Christian Boltz

    Christian Boltz - 2011-09-22
    • status: open --> closed-fixed
  • Christian Boltz

    Christian Boltz - 2011-09-22

    Could you report such issues a day before a release instead of a day after the (2.3.4) release next time, please? (Just kidding ;-)

    Seriously: Good catch, thanks for reporting it!

    Fixed in
    - 2.3 branch in SVN r1185, the fix will be in 2.3.5 (which we'll probably release soon, thanks to your bugreport ;-)
    - SVN trunk r1186


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks