Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Join Date
    Aug 2006
    Posts
    94
    Plugin Contributions
    0

    Default PCI Scan - SQL injection vul

    Anyone seen this, and have a remediation action?

    Possible blind sql injection on https://www.xxxxx.com/index.php? email_format=HTML&email=Enter+email+addres s wp --bsql "https://www.xxxx.com/index.php?email_format=HTML&email=Enter+email+address" style="display: none;"> "https://www.xxxx.com/index.php?email_format=HTML+and+1%3D1&email=Enter+email+address" "https://www.xxxxx.com/index.php?email_format=HTML+and+1%3D0&email=Enter+email+address" POST cat <<EOF > bsql.sh curl -L -k -d "email_format=HTML&email=Enter+email+address" "https://www.banberryplace.com/index.php"> a curl -L -k -d "email_format=HTML&email=Enter+email+address" "https://www.xxxxx.com/index.php"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities. [More]
    [Hide]

  2. #2
    Join Date
    Aug 2005
    Location
    Arizona
    Posts
    27,755
    Plugin Contributions
    9

    Default Re: PCI Scan - SQL injection vul

    Great but what Zencart version are you running?
    Zen-Venom Get Bitten

  3. #3
    Join Date
    Aug 2006
    Posts
    94
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Heh - yeah, that might be helpful.

    1.3.9h

  4. #4
    Join Date
    Aug 2006
    Posts
    94
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    I know it's considered obnoxious to "bump" topics, but I really need some help with this.

    The findings are definitely pointing at ZC files, and I am at the latest version.

    I ran the scan this afternoon and it was implicating a vuln in the search feature, I disabled search and ran it again and now it's complaining about newsletter subscribe... if I have run the scan 3 times, and 3 different results, it has to be fals positive, right?

    Please, if there is something else that I can do besides "upgrade to the latest version (already there)" I'm willing.

    Latest fiding:
    Possible blind sql injection on https://www.banberryplace.com/index.php? main_page=subscribe wp --bsql "https://www.banberryplace.com/index.php?main_page=subscribe" style="display: none;"> "https://www.banberryplace.com/index.php?main_page=subscribe+and+1%3D1" "https://www.banberryplace.com/index.php?main_page=subscribe+and+1%3D0" cat <<EOF > bsql.sh curl -L -k "https://www.banberryplace.com/index.php?main_page=subscribe+and+1%3D1"> a curl -L -k "https://www.banberryplace.com/index.php?main_page=subscribe+and+1%3D0"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities. [More]
    [Hide]

  5. #5
    Join Date
    Jun 2003
    Posts
    33,721
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Zen Cart doesn't have a subscribe page - What Add On are you using?
    Please do not PM for support issues: a private solution doesn't benefit the community.

    Be careful with unsolicited advice via email or PM - Make sure the person you are talking to is a reliable source.

  6. #6
    Join Date
    Aug 2006
    Posts
    94
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Yep - I am a chump.

    It's the newsletter subscribe mod. I have had that installed for so long that I forgot it was a mod. And to make matters more embarassing it looks like it has been updated...and you know, I should probably update it.

    I hope that updating that code will get me compliant, I'm kind of skeptical because I have run the scan 3 times with different results every time. But I do appreciate the nudge, and don't mind being embarrassed if it leads me in the right direction. :)

  7. #7
    Join Date
    Aug 2006
    Posts
    94
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Okay, so I have removed the newsletter subscribe module and another custom developed script, and I'm still failing...

    http://www.banberryplace.com/index.php?a ction=multiple_products_add_product%3F---- -------------------------79609744981084164 2884967624%0D%0AContent-Disposition%3A+for m-data&sort=20a&cPath=100&+name=%22submit1 .x%22%0D%0A%0D%0A1%0D%0A------------------ -----------796097449810841642884967624%0D% 0AContent-Disposition%3A+form-data&main_pa ge=index wp --bsql "http://www.banberryplace.com/index.php? action=multiple_products_add_product%3F--- --------------------------7960974498108416 42884967624%0D%0AContent-Disposition%3A+fo rm-data&sort=20a&cPath=100&+name=%22submit 1.x%22%0D%0A%0D%0A1%0D%0A----------------- ------------796097449810841642884967624%0D %0AContent-Disposition%3A+form-data&main_p age=index" "http://www.banberryplace.com/index.php? action=multiple_products_add_product%3F--- --------------------------7960974498108416 42884967624%0D%0AContent-Disposition%3A+fo rm-data+and+1%3D1&sort=20a&cPath=100&+name =%22submit1.x%22%0D%0A%0D%0A1%0D%0A----- [More]

  8. #8
    Join Date
    Dec 2005
    Posts
    44
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Did you ever get this resolved? I'm in a similar situation. SM refuses to point me to a solution, they just keep stating the error and that I need to fix it. I would love to know if you resolved it and how did you do it.

  9. #9
    Join Date
    Aug 2006
    Posts
    94
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Quote Originally Posted by shannda View Post
    Did you ever get this resolved? I'm in a similar situation. SM refuses to point me to a solution, they just keep stating the error and that I need to fix it. I would love to know if you resolved it and how did you do it.
    Wish I had a good story for you, but I don't.

  10. #10
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: PCI Scan - SQL injection vul

    Quote Originally Posted by Terrill_Taylor View Post
    "http://www.xxxxxxx.com/index.php? action=multiple_products_add_product%3F--- --------------------------7960974498108416 42884967624%0D%0AContent-Disposition%3A+fo rm-data+and+1%3D1&sort=20a&cPath=100&+name =%22submit1.x%22%0D%0A%0D%0A1%0D%0A-----
    Your host has a mod_sec rule in place to protect you from possible SQL Injection attempts, which is what's triggering a blank page and/or a 406 response when someone attempts to visit that URL.

    Quote Originally Posted by YourHostingCompany
    Access denied with code 406 (phase 2). Pattern match "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|fr om\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|in st)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makew ebtask)|ql_(? ..." at ARGS:name. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "83"] [id "950001"] [msg "SQL Injection Attack. Matched signature <and 1=>"] [severity "CRITICAL"]

    Mod_sec is always gonna nail you on this before it gets to Zen cart which also would have done nothing with it as it scrubs the input before taking action
    Mod_sec fires before Zen Cart even comes into the picture.

    IMO, if SM is too technically incompetent to understand that the security systems of common webservers are providing protections before the application can ever be invoked, and are flagging you as failing because of it, then they have no business being in the security field.

    If SM won't listen to *you*, then log a ticket with your hosting company for assistance, as this issue is not a Zen Cart issue.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 
Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg