SQL keywords not filtered from summary and description

433
Defect
C. Sebe
-
3.6
3.5.2
-
Invalid
Normal
Normal
6 years ago
6 years ago
0

Description

Hi,

What did you do to cause this? Tried to add/update a ticket that includes the word "having" in the summary/description.

What page were you on? Adding/Updating tickets through th web interface and API.

What PHP and MariaDB versions do you run? PHP 5.4.39 MySQL 5.6.23

Describe the defect: Please see the full description here: https://forum.traq.io/topic/457-api-call-for-adding-comments-to-an-existing-ticket/#entry1449 and here: https://forum.traq.io/topic/457-api-call-for-adding-comments-to-an-existing-ticket/#entry1450

Ticket History

6 years and 1 month ago by Jack

  • Closed ticket as Invalid

This is due to the LiteSpeed servers request filtering security.

Request header and body can be checked against possible attack signatures. This helps defend against XSS attacks and SQL injection attacks, blocking those requests right from the start.

LiteSpeed thinks that an SQL injection attack is being attempted and is blocking the request from reaching Traq, this can be seen due to the error containing Access to this resource on the server is denied and Proudly powered by LiteSpeed Web Server.