MantisBT - Piwigo
View Issue Details
0001973Piwigosecuritypublic2010.10.29 23:452010.10.30 00:37
plg 
plg 
normalminorhave not tried
closedfixed 
2.1.3 
2.1.42.1.4 
any
Apache 1.3.x
0001973: [comments.php] SQL query on error (and displayed) when category id is unknown
On comments.php, the category_id is transmitted with a $_GET parameter and if the user set a non-existing category_id then Piwigo generates an SQL syntax error and the SQL query is displayed.

There is no vulnerability but we should avoid the SQL syntax error if we know the category doesn't exist!
No tags attached.
Issue History
2010.10.29 23:45plgNew Issue
2010.10.29 23:45plgStatusnew => assigned
2010.10.29 23:45plgAssigned To => plg
2010.10.29 23:45plgbrowser => any
2010.10.29 23:45plgWeb server => Apache 1.3.x
2010.10.30 00:33svnCheckin
2010.10.30 00:33svnNote Added: 0004410
2010.10.30 00:34svnCheckin
2010.10.30 00:34svnNote Added: 0004411
2010.10.30 00:37plgStatusassigned => closed
2010.10.30 00:37plgResolutionopen => fixed
2010.10.30 00:37plgFixed in Version => 2.1.4

Notes
(0004410)
svn   
2010.10.30 00:33   
[Subversion] r7487 by plg on branch 2.1

-----[Subversion commit log]----------------------------------------------------
bug 1973 fixed: aboid SQL syntax error if the category id given in the URL is
unknown.
(0004411)
svn   
2010.10.30 00:34   
[Subversion] r7488 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
merge r7487 from branch 2.1 to trunk

bug 1973 fixed: aboid SQL syntax error if the category id given in the URL is
unknown.