From 22780e26da175bcc2636d6ed8c3845baed90fb86 Mon Sep 17 00:00:00 2001 From: Mobb autofixer Date: Mon, 25 Sep 2023 08:48:10 +0000 Subject: [PATCH 1/4] mobb fix commit: 22a658e9-6032-4dc6-b2e3-bd74c2fcfb99 --- src/main/webapp/ForgotPassword.jsp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/main/webapp/ForgotPassword.jsp b/src/main/webapp/ForgotPassword.jsp index b56f6cb..8c5c446 100644 --- a/src/main/webapp/ForgotPassword.jsp +++ b/src/main/webapp/ForgotPassword.jsp @@ -38,8 +38,10 @@ if(request.getParameter("secret")!=null) { Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); ResultSet rs=null; - Statement stmt = con.createStatement(); - rs=stmt.executeQuery("select * from users where username='"+request.getParameter("username").trim()+"' and secret='"+request.getParameter("secret")+"'"); + PreparedStatement pstmt = con.prepareStatement("select * from users where username=? and secret=?"); + pstmt.setString(1, request.getParameter("username").trim()); + pstmt.setString(2, request.getParameter("secret")); + rs=pstmt.executeQuery(); if(rs != null && rs.next()){ out.print("Hello "+rs.getString("username")+", Your Password is: "+rs.getString("password")); } From e1f729b6f62b3b5c83ac5525f0401caa151177c0 Mon Sep 17 00:00:00 2001 From: Mobb autofixer Date: Mon, 25 Sep 2023 08:48:11 +0000 Subject: [PATCH 2/4] mobb fix commit: 96b05587-b15d-497c-addc-b7ed3cefdc15 --- src/main/webapp/vulnerability/forum.jsp | 114 +++++++++++------------- 1 file changed, 54 insertions(+), 60 deletions(-) diff --git a/src/main/webapp/vulnerability/forum.jsp b/src/main/webapp/vulnerability/forum.jsp index 6c71c00..bde9b05 100644 --- a/src/main/webapp/vulnerability/forum.jsp +++ b/src/main/webapp/vulnerability/forum.jsp @@ -5,7 +5,7 @@ --%> <%@page import="java.sql.Connection"%> -<%@page import="java.sql.Statement"%> +<%@page import="java.sql.PreparedStatement"%> <%@page import="java.sql.SQLException"%> <%@page import="java.sql.ResultSetMetaData"%> @@ -18,65 +18,59 @@ <%@ include file="/header.jsp" %> <% - Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); - if(session.getAttribute("isLoggedIn")!=null && session.getAttribute("isLoggedIn").equals("1")) - { - out.print("Hello "+session.getAttribute("user")+", Welcome to Our Forum !"); - } - %> -

-

Create Post:

-
- Title :
- Message:
- " size="50"/>
- -
- +try (Connection con = new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"))) { + if (session.getAttribute("isLoggedIn") != null && session.getAttribute("isLoggedIn").equals("1")) { + out.print("Hello " + session.getAttribute("user") + ", Welcome to Our Forum !"); + } +} +%> +

+

Create Post:

+
+Title :
+Message:
+" size="50"/>
+ +

<% - - if(request.getParameter("post")!=null) - { - String user=request.getParameter("user"); - String content=request.getParameter("content"); - String title=request.getParameter("title"); - if(con!=null && !con.isClosed()) - { - Statement stmt = con.createStatement(); - //Posting Content - stmt.executeUpdate("INSERT into posts(content,title,user) values ('"+content+"','"+title+"','"+user+"')"); - out.print("Successfully posted"); - } - } - - %> -

List of Posts:

- <% - if(con!=null && !con.isClosed()) - { - Statement stmt = con.createStatement(); - ResultSet rs =null; - rs=stmt.executeQuery("select * from posts"); - out.println(""); - while (rs.next()) - { - out.print(""); - out.print(""); - out.print(""); - +if (request.getParameter("post") != null) { + String user = request.getParameter("user"); + String content = request.getParameter("content"); + String title = request.getParameter("title"); + if (con != null && !con.isClosed()) { + String query = "INSERT into posts(content,title,user) values (?,?,?)"; + try (PreparedStatement stmt = con.prepareStatement(query)) { + stmt.setString(1, content); + stmt.setString(2, title); + stmt.setString(3, user); + stmt.executeUpdate(); + out.print("Successfully posted"); + } + } +} +%> +

List of Posts:

+<% +if (con != null && !con.isClosed()) { + String query = "select * from posts"; + try (PreparedStatement stmt = con.prepareStatement(query)) { + ResultSet rs = stmt.executeQuery(); + out.println("
"+rs.getString("title")+" - Posted By "); - if(!rs.getString("user").equalsIgnoreCase("anonymous")) - { - out.print(""+rs.getString("user")+""); - } - else - { - out.print(rs.getString("user")); - } - out.println("
"); + while (rs.next()) { + out.print("");"); + out.print(""); + out.print("
" + rs.getString("title") + " - Posted By "); + if (!rs.getString("user").equalsIgnoreCase("anonymous")) { + out.print("" + rs.getString("user") + ""); + } else { + out.print(rs.getString("user")); } - out.println("
"); - } - out.print("
Forum Users list >>"); - %> - <%@ include file="/footer.jsp" %> \ No newline at end of file + out.println(""); + } + out.println(""); + } +} +out.print("
Forum Users list >>"); +%> +<%@ include file="/footer.jsp" %> \ No newline at end of file From 084573a16fcd69b7159f517e375d99bf7f8bd4ca Mon Sep 17 00:00:00 2001 From: Mobb autofixer Date: Mon, 25 Sep 2023 08:48:11 +0000 Subject: [PATCH 3/4] mobb fix commit: 214bf700-2ada-4df9-84e6-83813ca102c3 --- src/main/webapp/vulnerability/csrf/change-info.jsp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/main/webapp/vulnerability/csrf/change-info.jsp b/src/main/webapp/vulnerability/csrf/change-info.jsp index 9c27092..2e894da 100644 --- a/src/main/webapp/vulnerability/csrf/change-info.jsp +++ b/src/main/webapp/vulnerability/csrf/change-info.jsp @@ -27,8 +27,10 @@ if(session.getAttribute("isLoggedIn")!=null) String id=session.getAttribute("userid").toString(); if(info!=null && !info.equals("") && id!=null) { - Statement stmt = con.createStatement(); - stmt.executeUpdate("Update users set about='"+info+"' where id="+id); + PreparedStatement pstmt = con.prepareStatement("Update users set about=? where id=?"); + pstmt.setString(1, info); + pstmt.setString(2, id); + pstmt.executeUpdate(); out.print("info Changed"); } From 3d8cc98f0f0b239ac3c2cb345ddcd60053b1d269 Mon Sep 17 00:00:00 2001 From: Mobb autofixer Date: Mon, 25 Sep 2023 08:48:12 +0000 Subject: [PATCH 4/4] mobb fix commit: 6d578cde-0711-4f1a-9f12-f6f6c7b5079f --- src/main/java/org/cysecurity/cspf/jvl/controller/Register.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java b/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java index afa2f83..d3fe111 100644 --- a/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java +++ b/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java @@ -55,7 +55,7 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re { Statement stmt = con.createStatement(); - stmt.executeUpdate("INSERT into users(username, password, email, About,avatar,privilege,secretquestion,secret) values ('"+user+"','"+pass+"','"+email+"','"+about+"','default.jpg','user',1,'"+secret+"')"); + stmt.executeUpdate("INSERT into users(username, password, email, About,avatar,privilege,secretquestion,secret) values ('"+user+"','"+pass+"','"+email+"',"+stmt.enquoteLiteral(String.valueOf(about))+",'default.jpg','user',1,'"+secret+"')"); stmt.executeUpdate("INSERT into UserMessages(recipient, sender, subject, msg) values ('"+user+"','admin','Hi','Hi
This is admin of this page.
Welcome to Our Forum')"); response.sendRedirect("index.jsp");