alleged blind sql injection

**dbltoe** · 3 Apr 2009, 03:40 AM

Here's what I get from a PCI Compliance scan

Possible blind sql injection on http://www.mysite.com/index.php?amp=&main_page=index wp --bsql "http://www.mysite.com/index.php?amp=&main_page=index" "http://www.mysite.com/index.php?amp=&main_page=index+and+1%3D1" "http://www.mysite.com/index.php?amp=&main_page=index+and+1%3D0" cat <<EOF > bsql.sh curl -L "http://www.mysite.com/index.php?amp=&main_page=index+and+1%3D1"> a curl -L "http://www.mysite.com/index.php?amp=&main_page=index+and+1%3D0"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities.

Is this something that can be fixed by the change to application top?

**DrByte** · 3 Apr 2009, 04:06 AM

Who's the scanning company?

**wilt** · 3 Apr 2009, 04:12 AM

hi,

The PCI checking software is flawed.

What it is doing is calling the index page with 2 slightly different urls, supposedly in the mistaken belief that any differences in the html output would be caused by errors generated by a blind sql injection.

However the main page is dynamic, and even called twice with exactly the same url, will produce different html output, as some product information is chosen randomly.

automated PCI Compliance software

**dbltoe** · 3 Apr 2009, 04:40 AM

securitymetrics and, unfortunately one of my clients is being billed until I can prove them wrong.
COMODO does not return this as a problem.

**DrByte** · 3 Apr 2009, 05:08 AM

Well, as wilt said, the method they're using is horribly flawed and smacks of being very amateurish if it's supposed to "confirm" the existence of some sort of sql injection matter. It's presuming that the site operates only using a static HTML page for their home page, and is thus entirely unreliable when used against a dynamically-driven site such as Zen Cart.

Challenge them back ... ask them to actually prove that there really *is* any SQL injection happening. The method you quoted from them is only confirming that the built-in logic for displaying randomly-selected data on the home page ... is actually working properly. You can give them thanks for confirming correct operation. But if they want to slam you for being somehow not secure, ask them to provide REAL proof ... because their current "proof" is flawed. My 10-year-old neice could do what they're doing and billing you for, and all she'd want is a fresh batch of hot cookies. Chocolate please.

**Ajeh** · 3 Apr 2009, 05:10 AM

Cookies!!!

**Merlinpa1969** · 3 Apr 2009, 05:21 AM

we have never had any issues with security metrics and their scans...
we deal with security metrics ALOT

**dbltoe** · 3 Apr 2009, 05:34 AM

Should've practiced what I preach and told the whole story.

One of my customers discovered an extra $19.95 fee on their monthly statement from their merchant account provider (First Data Merchant Services). An inquiry to them brought, "You are being charged an extra fee for non-compliance with PCI requirements." They then suggested that my client contact securitymetricsDOTcom to "get the situation resolved."
Of course, Security Metrics confirmed the problem and convinced the client to pay $$$ to "fix his server."
Their version of fix turned out to be a scan that proceeded to show a false positive for FrontPage and the blind sql problem.
I have done a scan with COMODO (our certificate provider) and it had the same false positive for FrontPage but did not show any sql injection problem. I reported the false positive to COMODO and will use their response on that front.
For the sql injection false positive, thanks to all of you for providing ammunition for the next round of fire with these folks.
Of course, the customer has just recently changed to First Data Merchant Services and would incur $$$ to leave them.
Caveat Emptor was a VERY optimistic statement.

TO THE LURKERS:
There are sites that will perform a free PCI compliance check. The one run by COMODO has my vote.

**wilt** · 3 Apr 2009, 05:45 AM

We have had other reports (in the private Security Matters forum) that Security Metrics was actually telling the poster that the page is flagged because it produces different output based on the 2 different URL/Parameter combinations. The same issue as discussed above, but equally invalid reasoning.

Edit: Link removed

**dbltoe** · 3 Apr 2009, 06:52 AM

Originally Posted by Merlinpa1969

we have never had any issues with security metrics and their scans...
we deal with security metrics ALOT

What bothered me the most about this one is that the SM rep claimed to the customer that the $$$ fee would include their(SM) fixing the server!
So far, they're not listening to the customer. Hopefully, they will listen to me now that I have some ammo.

Thread: alleged blind sql injection

Thread Tools

Search Thread

Display

alleged blind sql injection

Re: blind sql injection

Re: blind sql injection

Re: blind sql injection

Re: blind sql injection

Re: blind sql injection

Re: blind sql injection

Re: blind sql injection

Re: blind sql injection

Re: blind sql injection

Bookmarks

Bookmarks

Posting Permissions