[Vtigercrm-developers] Nasty little Announcement bug
Alan Lord (News)
alanslists at gmail.com
Mon Jun 11 02:27:50 PDT 2012
Hmm something else is a bit nasty with this.
The original announcement with the apostrophe was created by a user with
an normal id number (i.e. not 1).
I logged into their system (as admin) and edited their announcement to
remove the apostrophes. But rather than removing the original
announcement, it added a second one to the database table! Meaning the
apostrophe bug was still present as the marquee was now showing both
announcements.
The only way to fix this was to go into MySQL and manually delete the
original announcement record from the vtiger_announcement table.
My colleague also made an interesting comment. This is likely to be
quite a security bug too as you could probably inject javascript into
the announcement...
Cheers
Al
On 11/06/12 07:54, Alan Lord (News) wrote:
> Caught this one this morning...
>
> http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7440
>
> Should be easy enough to fix (I guess the ' isn't being escaped or
> converted but it's quite a nasty one. Using an apostrophe is common
> place and no access to the More menu is rather limiting.
>
> Cheers
>
> Al
>
--
Libertus Solutions
http://www.libertus.co.uk
More information about the vtigercrm-developers
mailing list