New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Monika security issue (SQL injection) #178

Open

matthieu637 opened this issue Oct 30, 2020 · 1 comment

Labels

2.5 bug enhancement

matthieu637 commented Oct 30, 2020 •

edited

Loading

Hello,
The IT team of our university (also #165) informed us that there is a security issue with monika (SQL injection).

/monika/monika?job=-1%20OR%203*2*1=6%20AND%20000436=000436%20--%20

Hopefully, it's with the read-only user.

But still our server doesn't like it (postgresql process uses 100% CPU after that kind of request):

We are using the version 2.5.8~rc8-1 with postgresql 10.14-0ubuntu0.18.0.

The text was updated successfully, but these errors were encountered:

Contributor

npf commented Dec 5, 2020

Hello,

A patch (PR) would be very welcome.

npf added 2.5 bug enhancement labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment