Report Portal
Home
Download
Customers
Customers
Testimonials
Reviews
Resources
Tutorial
Documentation
Support
Forum
FAQ
Services
Company
About us
News/Events
Contact us
Resellers
Live Demo
ReportPortal
Home
|
Profile
|
Register
|
Active Topics
|
Members
|
Search
|
FAQ
Username:
Password:
Save Password
Forgot your Password?
All Forums
ReportPortal General Forum
Report Portal General Issues
SQL Injection at documentation
New Topic
Reply to Topic
Printer Friendly
Author
Topic
gumbarros
1 Posts
Posted - 04/05/2023 : 10:03:50
https://www.reportportal.com/help/UrlSdk/Code/ReportList.aspx.vb.htm
You can execute any SQL command if a atacker modify sFolderId and sReportType.
If sFolderId <> "" Then
sSql += " WHERE FolderId = " & sFolderId
ElseIf sReportType <> "" Then
sSql += " WHERE ReportType = " & sReportType
End If
Edited by - gumbarros on 04/05/2023 10:15:16
admin
1652 Posts
Posted - 04/05/2023 : 13:20:15
Good point. THE API documentation should says:
sSql += " WHERE FolderId = " & cint(sFolderId)
and
sSql += " WHERE ReportType = " & cint(sReportType)
Topic
New Topic
Reply to Topic
Printer Friendly
Jump To:
Select Forum
ReportPortal General Forum
Report Portal Wish List
Report Portal Installation
Report Portal General Issues
Report Portal Build History
XMLA Browser
XMLA Browser for Microsoft SQL Server 2005
--------------------
Home
Active Topics
Frequently Asked Questions
Member Information
Search Page
ReportPortal
© 2000-2002 Snitz Communications
New Topic
Reply to Topic
Printer Friendly
Report Portal
SQL Injection at documentation
Posted - 04/05/2023 : 10:03:50
