-
Re: alleged blind sql injection
Seems like they come up with something new each week.
-
13 Oct 2009, 01:46 PM
#32
Re: alleged blind sql injection
My client server is running a 1.3.8a of zen cart with the latest security patch installed.
Yesterday I got a message from the nsProtect Safe, the service we subscribe to.
Vulnerability Scan Failed for www.mywebsite.com 10-13-2009 02:49:02 ET - View Report
Your nsProtect? Safe seal will be suspended if vulnerability not remedied within seven (7) days.
Status: Scan Failed
This is the report:
Security alert found on port/service "http (80/tcp)"
Plugin "Comodo Blind SQL injections"
Category "CGI abuses"
Priority Ranking "Urgent"
The following CGI script seem to be vulnerable to BLIND SQL injection techniques : /[categoryname]-c-175 _192.html Unsafe arguments : zenid Unsafe URLs : /[categoryname]-c-175 _192.html?zenid=7fd067910b9848cb47ebd6e9 7f5d7dba%22+OR+1=1+%23 An attacker may exploit this flaws to bypass authentication or to take the control of the remote database.
Is this also a false warning, or do I have some real security issue ?
Please advice.
-
13 Oct 2009, 01:54 PM
#33
Re: alleged blind sql injection
Are you using Simple SEO URL? I had a similar problem with security metrics which dissappeared when I upgraded Simple SEO URL (SUU) to the latest version.
-
13 Oct 2009, 04:45 PM
#34
Re: alleged blind sql injection
@dsided
Thanks for the reply. I'm using 'Ultimate SEO URLs' mod and it is the latest version that I'm using.
-
13 Oct 2009, 06:05 PM
#35
Re: alleged blind sql injection
Looks like they might be using some COMODO algorithms. If so, try registering for the free PCI Scan at hackerguardian.com. I've found their test to be accurate and accepted by other scanners as evidence that we're compliant.
HTH
-
13 Oct 2009, 08:02 PM
#36
Re: alleged blind sql injection
@dbltoe
Thanks for the tip, I registered at hackerguardian.com and initiated a security scan. Now waiting for the report.
-
15 Oct 2009, 09:39 PM
#37
Re: alleged blind sql injection
Just got off the phone with Security Metrics for my quarterly "we don't have a blind sql injection problem" talk.
Again, elevated to a "supervisor" (translation-- can operate outside the flow chart) who will "elevate the problem for review."
"Supervisor" of the day even had the audacity to state that sites using only offsite entry and processing (like PayPal Express) were still subject to full blown PCI requirements.
They still refuse to change any testing method or whitelist any site using dynamically created html.
The only tie-in I see with Security Metrics is the merchant accounts from Sam's. Time to peruse what Costco does.
-
16 Oct 2009, 05:22 AM
#38
Re: alleged blind sql injection
Surely they're smart enough to know that mod_security rules are a good thing?
Get them to prove there's *really* an injection by *actually* doing one that *actually* creates a problem on the site.
That should keep them busy for a few months anyway.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
-
16 Oct 2009, 05:40 AM
#39
Re: alleged blind sql injection
That's assuming logic is in their bag of arrows.
The bit of irony in all this is that a company can just blow this off and continue to pay the $19.95 a month as a fee to operate. If you're making enough, just blow it off and go on.
Here we are, able to prove we are compliant and they refuse to change.
As with most everything else in our current economy, I feel they err on the side of greed.
Thanks for taking the time to answer. I know you're busy with the dolls.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Content and Graphics Copyright (c) 2003 - 2024 Zen Ventures, LLC - all rights reserved
Zen Cart® is a Registered Trademark of Zen Ventures, LLC
Bookmarks