[opencms-dev] Clearing of cache on publish
Vince Chan
vincechan at hkmail.sf-express.com
Tue Nov 29 03:15:16 CET 2011
Hello,
On publishing a file. all the cache will be cleared. Is there a way that it
only clear the cache of the published files?
Thanks
Vince
_____
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Alexandru Gyori
Sent: Tuesday, November 29, 2011 4:30 AM
To: opencms-dev at opencms.org
Subject: [opencms-dev] Security issue
Importance: High
Hello,
Id like to report a security vulnerability of OpenCMS.
I have downloaded the OpenCMS_8.0.3 sources; this vulnerability is present
in the current svn source files.
In org.opencms.i18n.CmsEncoder you have the method:
/**
* A simple method to avoid injection.<p>
*
* Replaces all single quotes to double single quotes in the value
parameter of the SQL statement.<p>
*
* @param source the String to escape SQL from
* @return the escaped value of the parameter source
*/
public static String escapeSql(String source) {
return source.replaceAll("'", "''");
}
This method is unsafe and vulnerable as you can find out by reading:
http://www.unixwiz.net/techtips/sql-injection.html
The before mentioned method does not properly sanitize sql.
The point of interest is:
However, this naïve approach can be beaten because most databases support
other string escape mechanisms. MySQL, for instance, also permits \' to
escape a quote, so after input of \'; DROP TABLE users; -- is "protected" by
doubling the quotes, we get:
SELECT fieldlist
FROM customers
WHERE name = '\''; DROP TABLE users; --'; -- Boom!
Hope youll fix this soon. Good luck!
Regards,
Alexandru GYORI
Junior researcher IEAT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20111129/906318a8/attachment.htm>
More information about the opencms-dev
mailing list