phplist

NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1


View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015244phplist applicationSubscriber Importpublic19-03-09 09:4923-03-09 15:14
Reportersteveh 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.10.9 
Target Version2.10.10Fixed in Version2.10.10 
Summary0015244: Potential for SQL injection in import
DescriptionIf records that are quote delimted are imported then the sql in users fails with syntax errors.

Additional InformationCreate a file:-

"steve@xyz.com"
"fred@bert.com"

Import this file, then go to the user management page, you'll see sql syntax errors.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0050585)
michiel (manager)
23-03-09 15:14

fixed in svn, and will get to 2.10.10 but it will also be useful to remove the quotes at import time.


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker