/

Errata - 4.0.1 XSS in SQL debugging output

Errata - 4.0.1 XSS in SQL debugging output

Owned by Mark Unwin

Last updated: Jan 18, 2021

When outputting the SQL statements for debugging, a maliciously crafted query can trigger a XSS attack (thanks Thrivikram Gujarathi).

This attack only succeeds if the user is already logged in to Open-AudIT before they click the malicious link.

The issue has been patched. To view the patch, go here - https://github.com/Opmantek/open-audit/commit/870b14b3dc83bb38853a0af62f1ff91d0f4ceb78

To apply it, grab the two files from:
https://raw.githubusercontent.com/Opmantek/open-audit/870b14b3dc83bb38853a0af62f1ff91d0f4ceb78/code_igniter/application/helpers/response_helper.php
and
https://raw.githubusercontent.com/Opmantek/open-audit/870b14b3dc83bb38853a0af62f1ff91d0f4ceb78/code_igniter/application/views/theme-bootstrap/v_template.php

and replace the existing files in your installation.

Apologies for any inconvenience this causes. This has been patched and will be included in the next release.

Mark Unwin.

Related content

Open-AudIT FAQ

More like this

Using Postman to query the Open-AudIT API

Using Postman to query the Open-AudIT API

More like this

Instalación de Open-AudIT en SUSE Linux Enterprise Server 15.5

Instalación de Open-AudIT en SUSE Linux Enterprise Server 15.5

More like this

Agents

More like this

Security Configurations

Security Configurations

More like this

Release Notes for Open-AudIT v5.4.0

Release Notes for Open-AudIT v5.4.0

More like this