#433 - SQL keywords not filtered from summary and description
Type Defect
Status Invalid
Milestone 3.6
Version 3.5.2
Component -
Priority Normal
Severity Normal
Owner C. Sebe
Assigned to -
Reported 8 years ago
Updated 8 years ago
Votes 0
Related tickets
Proposed time
Worked time

Hi,

What did you do to cause this? Tried to add/update a ticket that includes the word "having" in the summary/description.

What page were you on? Adding/Updating tickets through th web interface and API.

What PHP and MariaDB versions do you run? PHP 5.4.39 MySQL 5.6.23

Describe the defect: Please see the full description here: https://forum.traq.io/topic/457-api-call-for-adding-comments-to-an-existing-ticket/#entry1449 and here: https://forum.traq.io/topic/457-api-call-for-adding-comments-to-an-existing-ticket/#entry1450

Ticket History

Jack closed as Invalid 8 years and 9 months ago

This is due to the LiteSpeed servers request filtering security.

Request header and body can be checked against possible attack signatures. This helps defend against XSS attacks and SQL injection attacks, blocking those requests right from the start.

LiteSpeed thinks that an SQL injection attack is being attempted and is blocking the request from reaching Traq, this can be seen due to the error containing Access to this resource on the server is denied and Proudly powered by LiteSpeed Web Server.