/
Errata - 4.0.1 XSS in SQL debugging output

Errata - 4.0.1 XSS in SQL debugging output

Owned by Mark Unwin
Last updated: Jan 18, 2021


When outputting the SQL statements for debugging, a maliciously crafted query can trigger a XSS attack (thanks Thrivikram Gujarathi).

This attack only succeeds if the user is already logged in to Open-AudIT before they click the malicious link.


The issue has been patched. To view the patch, go here - https://github.com/Opmantek/open-audit/commit/870b14b3dc83bb38853a0af62f1ff91d0f4ceb78


To apply it, grab the two files from:
https://raw.githubusercontent.com/Opmantek/open-audit/870b14b3dc83bb38853a0af62f1ff91d0f4ceb78/code_igniter/application/helpers/response_helper.php
and
https://raw.githubusercontent.com/Opmantek/open-audit/870b14b3dc83bb38853a0af62f1ff91d0f4ceb78/code_igniter/application/views/theme-bootstrap/v_template.php

and replace the existing files in your installation.


Apologies for any inconvenience this causes. This has been patched and will be included in the next release.

Mark Unwin.


Related content

Errata - 3.3.0 XSS in error templates
Errata - 3.3.0 XSS in error templates
Open-AudIT
More like this
Errata - 4.2.0 and earlier Javascript vulnerability
Errata - 4.2.0 and earlier Javascript vulnerability
Open-AudIT
More like this
Errata - 1.12_2 patch for opConfig
Errata - 1.12_2 patch for opConfig
Open-AudIT
More like this
Errata - 4.2.0, 3.5.0 and onwards util function vulnerability
Errata - 4.2.0, 3.5.0 and onwards util function vulnerability
Open-AudIT
More like this
Errata - 3.3.2 / 3.4.0 XSS in devices list template (Community)
Errata - 3.3.2 / 3.4.0 XSS in devices list template (Community)
Open-AudIT
More like this
Errata - 2.1 Security Update, March 2018
Errata - 2.1 Security Update, March 2018
Open-AudIT
More like this