[opencms-dev] Clearing of cache on publish

Tue Nov 29 03:15:16 CET 2011

Hello,

On publishing a file. all the cache will be cleared. Is there a way that it
only clear the cache of the published files?

Thanks
Vince

  _____  

From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Alexandru Gyori
Sent: Tuesday, November 29, 2011 4:30 AM
To: opencms-dev at opencms.org
Subject: [opencms-dev] Security issue
Importance: High

Hello,

Id like to report a security vulnerability of OpenCMS.

I have downloaded the OpenCMS_8.0.3 sources; this vulnerability is present
in the current svn source files.

In org.opencms.i18n.CmsEncoder you have the method:

/**

     * A simple method to avoid injection.<p>

     * 

     * Replaces all single quotes to double single quotes in the value
parameter of the SQL statement.<p> 

     * 

     * @param source the String to escape SQL from

     * @return the escaped value of the parameter source

     */

    public static String escapeSql(String source) {

        return source.replaceAll("'", "''");

    }

This method is unsafe and vulnerable as you can find out by reading:
http://www.unixwiz.net/techtips/sql-injection.html

The before mentioned method does not properly sanitize sql.

The point of interest is:

However, this naïve approach can be beaten because most databases support
other string escape mechanisms. MySQL, for instance, also permits \' to
escape a quote, so after input of \'; DROP TABLE users; -- is "protected" by
doubling the quotes, we get: 

SELECT fieldlist

  FROM customers

WHERE name = '\''; DROP TABLE users; --';  -- Boom!

Hope youll fix this soon. Good luck!

Regards,

Alexandru GYORI

Junior researcher IEAT

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20111129/906318a8/attachment.htm>