<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta content="text/html;charset=UTF-8" http-equiv="Content-Type"></head><body >Dear Mike O'Loan,<br><br>Thanks for notifying issues in some of the modules. We will ensure that these issues are fixed immediately. If required we will release a patch for v4.2.3 immediately.<br><br>Regards,<br>Gopal<br>---
<br>S.S.G.Gopal
<br>skype: sripadag
<br>ph: +1 877 788 4437
<br>blog: http://gopal.vtiger.com<br><br><br><br><br>---- On Tue, 22 Aug 2006 <b>Mike O'Loan <mike.oloan@saucesoft.com></b> wrote ---- <br><br><blockquote style="border-left: 1px solid rgb(160, 154, 255); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">The following files still have the same SQL injection vulnerability, carried over from vTiger 4.2.3. Although these aren't a problem with magic_quotes_gpc turned ON, it still needs to be fixed. It has been fixed in other modules by putting the PearDatabase::quote() function around any variable that needs to be placed in an SQL statement.
<br><br>Affected files:<br>modules\Faq\ListView.php<br>modules\HelpDesk\ListView.php<br>modules\Invoice\Popup.php<br>modules\Leads\ListView.php<br>modules\Leads\Popup.php<br>modules\Products\Popup.php<br clear="all"><br>Implementing this would reduce the SQL injection vulnerability for vTiger
4.2.x<br><br>-- <br>Mike O'Loan<br>Chief Technical Officer<br>Sauce Software Pty Ltd<br> <br><br> <a href="http://saucesoft.com" target="_blank">http://saucesoft.com</a><br> Phone: +61 1300 559 165<br> Fax: +61 7 3009 0442
<br> Email: <a href="mailto:mike.oloan@saucesoft.com" target="_blank">mike.oloan@saucesoft.com</a>
_______________________________________________<br>Get started with creating presentations online - <a href="http://zohoshow.com?vt" target="_blank">http://zohoshow.com?vt</a> <br></blockquote></body></html>