View Issue Details

IDProjectCategoryView StatusLast Update
0015244phplist applicationSubscriber Importpublic23-03-09 15:14
Reportersteveh 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.10.9 
Target Version2.10.10Fixed in Version2.10.10 
Summary0015244: Potential for SQL injection in import
DescriptionIf records that are quote delimted are imported then the sql in users fails with syntax errors.

Additional InformationCreate a file:-

"steve@xyz.com"
"fred@bert.com"

Import this file, then go to the user management page, you'll see sql syntax errors.
TagsNo tags attached.

Activities

michiel

23-03-09 15:14

manager   ~0050585

fixed in svn, and will get to 2.10.10 but it will also be useful to remove the quotes at import time.