#1225: TableExport service is prone to SQL injection and allows export any
GeoNetwork table
-----------------------+----------------------------------------------------
Reporter: josegar74 | Owner: geonetwork-devel@…
Type: defect | Status: new
Priority: critical | Milestone: v2.8.0
Component: General | Version: v2.8.0RC2
Keywords: |
-----------------------+----------------------------------------------------
This service is allowed only to Administrators and used to export these
tables in statistics module:
* Requests table
* Parameters table
But the service doesn't check the table provided in user request, so can
export any database table, what seems unacceptable.
A fix is being developed, to allow configure which tables can be exported
and check the user request to allow only allowed tables.
--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/1225>
GeoNetwork opensource Developer website <http://sourceforge.net/projects/geonetwork/>
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.