google / account-provisioning-for-google-apps

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Sql injection

QiAnXinCodeSafe opened this issue · comments

The suggestGet method in the ProvisioningAction.java accepts the parameters in the request and puts them into "userDataMap".
图片
Finally, participated in the database interaction in the executeQuery() method in H2DataSource.java.
图片
An attacker can perform a SQL injection attack by constructing malicious parameters -- "lastanme" and "firstname".