id,summary,reporter,owner,description,type,status,priority,component,severity,resolution,keywords,cc,release
6381,RPC executeQuery is open to SQL Injection,carstenklein@…,okazaki,"
Please adjust the implementation of the executeQuery Method so that it prevents SQL Injection.

Both parameters ""query"" and ""sort"" are not tested against common types of SQL Injection attacks.

E.g. providing for '''sort''' a value of e.g. ""start_time asc; DELETE FROM ticket WHERE 1=1; DELETE FROM wiki WHERE 1=1;"" would remove all of your important ticket and wiki data. Actual table names and field names may be different from the ones used in the above example, but you should get the picture.

",defect,assigned,normal,TracDependencyPlugin,normal,,,,0.11