Results 1 to 3 of 3
  1. #1
    Join Date
    Dec 2005
    Posts
    44
    Plugin Contributions
    0

    Default Contraol Scan Issues- don't allow certain user names like admin

    Hello, My clients control scan won't pass because I need to not allow the use of "admin" as a user name. What can I do to add this so my client can pass. I'm so frustrated and want to get her to pass.

  2. #2
    Join Date
    Dec 2005
    Posts
    44
    Plugin Contributions
    0

    Default Re: Contraol Scan Issues- don't allow certain user names like admin

    Here is what Control Scan says I need to do.


    This is what they are saying I have to fix in order to pass.

    THREAT REFERENCE

    Summary:
    Blind SQL injection vulnerability in utm_source parameter to /cc-skye/

    Risk: High (3)
    Port: 80/tcp
    Protocol: tcp
    Threat ID: web_prog_sql_blind

    Details: When a web application uses user-supplied input parameters
    within SQL queries without first checking them for unexpected
    characters, it becomes possible for an attacker to
    manipulate the query. This type of attack is known as a
    SQL injection attack.

    For example, suppose a web program passes the following
    query to the database application:


    SELECT * FROM USERS WHERE USERNAME='$user' AND PASSWORD='$pass'


    where $user and $pass are variables supplied by the user through a web form.
    So if the user were to enter the name "admin" and the password "abc", the query would become:


    SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='abc'


    and the database would return any existing record where the username is "admin" and the password is "abc", thus authenticating
    the user if the password "abc" is correct. Now suppose an attacker were to enter a malformed password such as the following:


    ' OR 'a'='a


    Inserting the malformed password into the query exactly as
    it appears above would cause the query to become:


    SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='' OR 'a'='a'


    The resulting query would return the records where the username
    is "admin" and the password is null OR the string 'a' equals 'a', which is always true.
    Thus, by manipulating the SQL query, all records are returned from the table
    without having known the correct password.

    This is just one example of an attack which is possible
    using SQL injection. Other forms of attacks could allow
    the attacker to gain unauthorized read, write, or delete
    access to the database, or to retrieve passwords.

    There are also security bypass vulnerabilities which allow for the
    bypass of anti-sql-injection filters in the software.

  3. #3
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Contraol Scan Issues- don't allow certain user names like admin

    Quote Originally Posted by shannda View Post
    vulnerability in utm_source parameter to /cc-skye/
    Zen Cart uses neither "utm_source" nor "/cc-skye/" in any of its code.

    You'll need to trace down your issues to whatever you added to your site to put that there, and deal with those components you added.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. v151 From multiple Option Names and Attributes allow user to select one attribute only
    By tipada in forum Setting Up Categories, Products, Attributes
    Replies: 4
    Last Post: 27 Jan 2013, 03:10 AM
  2. possible? don't allow Credit cards below certain order $ value
    By highlander in forum Built-in Shipping and Payment Modules
    Replies: 1
    Last Post: 9 Dec 2010, 03:47 AM
  3. Can I allow certain users to have access to only certain categories?
    By bparker in forum Customization from the Admin
    Replies: 2
    Last Post: 8 Sep 2009, 08:41 PM
  4. allow certain groups to see only certain products.
    By cushietushies in forum Discounts/Coupons, Gift Certificates, Newsletters, Ads
    Replies: 1
    Last Post: 3 Oct 2008, 04:33 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg