Results 1 to 10 of 15

Hybrid View

  1. #1
    Join Date
    Aug 2006
    Posts
    94
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Okay, so I have removed the newsletter subscribe module and another custom developed script, and I'm still failing...

    http://www.banberryplace.com/index.php?a ction=multiple_products_add_product%3F---- -------------------------79609744981084164 2884967624%0D%0AContent-Disposition%3A+for m-data&sort=20a&cPath=100&+name=%22submit1 .x%22%0D%0A%0D%0A1%0D%0A------------------ -----------796097449810841642884967624%0D% 0AContent-Disposition%3A+form-data&main_pa ge=index wp --bsql "http://www.banberryplace.com/index.php? action=multiple_products_add_product%3F--- --------------------------7960974498108416 42884967624%0D%0AContent-Disposition%3A+fo rm-data&sort=20a&cPath=100&+name=%22submit 1.x%22%0D%0A%0D%0A1%0D%0A----------------- ------------796097449810841642884967624%0D %0AContent-Disposition%3A+form-data&main_p age=index" "http://www.banberryplace.com/index.php? action=multiple_products_add_product%3F--- --------------------------7960974498108416 42884967624%0D%0AContent-Disposition%3A+fo rm-data+and+1%3D1&sort=20a&cPath=100&+name =%22submit1.x%22%0D%0A%0D%0A1%0D%0A----- [More]

  2. #2
    Join Date
    Dec 2005
    Posts
    44
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Did you ever get this resolved? I'm in a similar situation. SM refuses to point me to a solution, they just keep stating the error and that I need to fix it. I would love to know if you resolved it and how did you do it.

  3. #3
    Join Date
    Aug 2006
    Posts
    94
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Quote Originally Posted by shannda View Post
    Did you ever get this resolved? I'm in a similar situation. SM refuses to point me to a solution, they just keep stating the error and that I need to fix it. I would love to know if you resolved it and how did you do it.
    Wish I had a good story for you, but I don't.

  4. #4
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: PCI Scan - SQL injection vul

    Quote Originally Posted by Terrill_Taylor View Post
    "http://www.xxxxxxx.com/index.php? action=multiple_products_add_product%3F--- --------------------------7960974498108416 42884967624%0D%0AContent-Disposition%3A+fo rm-data+and+1%3D1&sort=20a&cPath=100&+name =%22submit1.x%22%0D%0A%0D%0A1%0D%0A-----
    Your host has a mod_sec rule in place to protect you from possible SQL Injection attempts, which is what's triggering a blank page and/or a 406 response when someone attempts to visit that URL.

    Quote Originally Posted by YourHostingCompany
    Access denied with code 406 (phase 2). Pattern match "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|fr om\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|in st)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makew ebtask)|ql_(? ..." at ARGS:name. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "83"] [id "950001"] [msg "SQL Injection Attack. Matched signature <and 1=>"] [severity "CRITICAL"]

    Mod_sec is always gonna nail you on this before it gets to Zen cart which also would have done nothing with it as it scrubs the input before taking action
    Mod_sec fires before Zen Cart even comes into the picture.

    IMO, if SM is too technically incompetent to understand that the security systems of common webservers are providing protections before the application can ever be invoked, and are flagging you as failing because of it, then they have no business being in the security field.

    If SM won't listen to *you*, then log a ticket with your hosting company for assistance, as this issue is not a Zen Cart issue.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Aug 2006
    Posts
    94
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    Quote Originally Posted by DrByte View Post
    If SM won't listen to *you*, then log a ticket with your hosting company for assistance, as this issue is not a Zen Cart issue.
    SM would not listen to us or our host. We have given up on them, we will be making a change when our agreement is up. Basically we will fail several scans in a row, and then randomly pass. ~whatever.

  6. #6
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: PCI Scan - SQL injection vul

    The way these scans work is this: You see 3 URLs in their alleged "proof of concept". Two are the same, and the third has a SQL Injection inserted into it. They have their scanner submit the first URL and get a copy of whatever the server responds with. Then they submit the second URL. Then they compare the results. They are looking for at least three cases: a) identical response (pass), b) different responses (fail), c) echoed output of the added injected text (fail)
    Since your mod_sec is blocking the injection attempt, a blank page is being rendered, and since the blank page is different from the "okay" page, their unintelligent robot blindly marks it as a fail.
    A human needs to get involved and see that the 406 response to the SQL Injection attempt (hack attempt) is an acceptable (safe) response.
    If the human is too lazy to do that, or too incompetent to even realize what's going on, then you'll have no success convincing them.
    If they are unwilling to investigate the real situation or are scared of the potential liability of believing your assertion of the false-positive, then you I suspect you ought to be able to demand a free release from your contract due to their unwillingness or incompetence to perform the required service at an acceptable level.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  7. #7
    Join Date
    Dec 2005
    Posts
    44
    Plugin Contributions
    0

    Default Re: PCI Scan - SQL injection vul

    In my ongoing battle with Security Metrics I can't get the "possible SQL injection" error to a passing grade.

    This is what they are telling me. Yet, I can't figure out how to resolve it.

    "The problem is that the true or false statement they add to the end of the home page /index.php gives two different results. The first one (+1=1) gives a 403 forbidden error, and the second one (+1=0) brings you to a search page that says “no results found.” They both have to redirect to the same place, the difference is causing the scan to flag.

    He says if you can provide a valid reason why they redirect to different places, they can mark it as a false positive. Otherwise the +1 +0 has to be redirected to the 403 forbidden page."

  8. #8
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: PCI Scan - SQL injection vul

    Tell them that when they're doing SQL injection attempts like that, the "403 Forbidden" comes from Server Security Rules (mod_sec) that are trapping their SQL Injection hack BEFORE the software has any chance to do anything.
    And the "no results found" is the natural result of the software properly detecting that invalid data was submitted, and taking corresponding action.

    Ask SM whether they are professionally advising you to tell your hosting company to RELAX the security which PROTECTS the server from hacking. If so, then get them to put it in writing, with their president signing it.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  9. #9
    Join Date
    May 2010
    Location
    WA State
    Posts
    1,678
    Plugin Contributions
    3

    Default Re: PCI Scan - SQL injection vul

    I ran in to the same issue with my first couple Security Metrics scans. It took a few phone calls before I got ahold of a tech with a clue, but when I did he entered it as a false positive. All has been well since.

 

 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg