alleged blind sql injection

**dbltoe** · 6 Oct 2009, 03:20 AM

Seems like they come up with something new each week.

**netchaos** · 13 Oct 2009, 01:46 PM

My client server is running a 1.3.8a of zen cart with the latest security patch installed.

Yesterday I got a message from the nsProtect Safe, the service we subscribe to.

Vulnerability Scan Failed for www.mywebsite.com 10-13-2009 02:49:02 ET - View Report
Your nsProtect? Safe seal will be suspended if vulnerability not remedied within seven (7) days.
Status: Scan Failed

This is the report:

Security alert found on port/service "http (80/tcp)"
Plugin "Comodo Blind SQL injections"
Category "CGI abuses"
Priority Ranking "Urgent"

The following CGI script seem to be vulnerable to BLIND SQL injection techniques : /[categoryname]-c-175 _192.html Unsafe arguments : zenid Unsafe URLs : /[categoryname]-c-175 _192.html?zenid=7fd067910b9848cb47ebd6e9 7f5d7dba%22+OR+1=1+%23 An attacker may exploit this flaws to bypass authentication or to take the control of the remote database.

Is this also a false warning, or do I have some real security issue ?
Please advice.

**dsided** · 13 Oct 2009, 01:54 PM

Are you using Simple SEO URL? I had a similar problem with security metrics which dissappeared when I upgraded Simple SEO URL (SUU) to the latest version.

**netchaos** · 13 Oct 2009, 04:45 PM

@dsided

Thanks for the reply. I'm using 'Ultimate SEO URLs' mod and it is the latest version that I'm using.

**dbltoe** · 13 Oct 2009, 06:05 PM

Looks like they might be using some COMODO algorithms. If so, try registering for the free PCI Scan at hackerguardian.com. I've found their test to be accurate and accepted by other scanners as evidence that we're compliant.

HTH

**netchaos** · 13 Oct 2009, 08:02 PM

@dbltoe

Thanks for the tip, I registered at hackerguardian.com and initiated a security scan. Now waiting for the report.

**dbltoe** · 15 Oct 2009, 09:39 PM

Just got off the phone with Security Metrics for my quarterly "we don't have a

blind sql injection problem" talk.

Again, elevated to a "supervisor" (translation-- can operate outside the flow chart) who will "elevate the problem for review."

"Supervisor" of the day even had the audacity to state that sites using only offsite entry and processing (like PayPal Express) were still subject to full blown PCI requirements.

They still refuse to change any testing method or whitelist any site using dynamically created html.

The only tie-in I see with Security Metrics is the merchant accounts from Sam's. Time to peruse what Costco does.

**DrByte** · 16 Oct 2009, 05:22 AM

Surely they're smart enough to know that mod_security rules are a good thing?

Get them to prove there's *really* an injection by *actually* doing one that *actually* creates a problem on the site.
That should keep them busy for a few months anyway.

**dbltoe** · 16 Oct 2009, 05:40 AM

That's assuming logic is in their bag of arrows.

The bit of irony in all this is that a company can just blow this off and continue to pay the $19.95 a month as a fee to operate. If you're making enough, just blow it off and go on.

Here we are, able to prove we are compliant and they refuse to change.

As with most everything else in our current economy, I feel they err on the side of greed.

Thanks for taking the time to answer. I know you're busy with the dolls.