[SECURITY] SQLi in AuthenticationService 68/49068/2
authorAndreas Fernandez <a.fernandez@scripting-base.de>
Tue, 19 Jul 2016 10:16:23 +0000 (12:16 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:16:29 +0000 (12:16 +0200)
commit6e35feed9c10070bc9c459f2c51bcb41b1d39d70
tree6846b56ca074d92432dbb19458a15ea5cdd2c730
parent1374e9937af68fa9c43be9051472d9532de2199e
[SECURITY] SQLi in AuthenticationService

The environment variable `HTTP_HOST` is used in SQL statements
but is not properly escaped, leading to an SQL injection
vulnerability.

Resolves: #75740
Releases: 7.6, 6.2
Security-Commit: 137f240450524afedb3f341305c65ab798004e98
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I73554a1503a3a408bbbd8ff60b5196a429579b4e
Reviewed-on: https://review.typo3.org/49068
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/sv/Classes/AuthenticationService.php