Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 39
  1. #11
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,108
    Plugin Contributions
    11

    Default Re: blind sql injection

    Here's my latest response from Security Metrics
    The example URLs that are being given in the test results aren't simply a difference of source code, but of server response. The first example is a difference of 404 error and 403 forbidden:
    http://www.mysite.com/index.php?amp=...x+and+1%3D0%22
    http://www.mysite.com/index.php?amp=...x+and+1%3D1%22
    and
    http://www.mysite.com/index.php?amp=...nd+1%3D1%22%3E
    http://www.mysite.com/index.php?amp=...nd+1%3D0%22%3E

    If it were only showing me a difference due to dynamically created web content, that might be different. This appears to be trying to validate/resolve the expressions and does indicate possible Blind SQL, which would need to be resolved.
    Naturally, the links I use are bogus.
    Any thoughts on a fix?

  2. #12
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,896
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: blind sql injection

    Well yes,

    Obviously the cart will return 404, because the page

    http://www.mysite.com/index.php?amp=...x+and+1%3D0%22

    does not exist.

    Moreover, the fact that Zen Cart recognises that the main_page parameter has been altered and produces a 404 header actually shows that we are sanitizing that input in order to protect the site from a sql injection.

  3. #13
    Join Date
    Nov 2004
    Location
    Norfolk, United Kingdom
    Posts
    3,036
    Plugin Contributions
    2

    Default Re: blind sql injection

    Regarding the comments about Security Metrics applying a "FIX" for the site in question - they don't do any such thing. All they do is to run a series of tests according to their criteria and it's then up to you to fix the site.

    Vger

  4. #14
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,108
    Plugin Contributions
    11

    Default Re: blind sql injection

    I think I need to reiterate that I have no argument with Security Metrics.

    My customer was told that his non-compliance would be fixed by purchasing a year of their service.

    The salesperson did not say could be fixed or that their scans could be helpful in fixing the problems.

    For that reason, my customer sat back for another quarter until the next merchant statement came in and wondered why they were still being charged $20 per month for non-compliance.

    It's the salesperson who's at fault in this scenario. The salesperson misrepresented their service to make a sale and that is where my beef lies.

    The merchant account company is willing to rebate the charges once we can get the false positives squared away. Security Metrics was quick to realize the false positive for FrontPage, but I'm having a tough time with the alleged blind SQL situation.

    I'll gather some more info(ammo) and try to talk to them in person.

  5. #15
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,108
    Plugin Contributions
    11

    Default Re: alleged blind sql injection

    Wilt,
    You may not have noticed that I used bogus URLs for my example.
    IF there is something wrong, I certainly don't want someone getting in.
    Actual URLs available by PM on request.
    THANX for the help.

  6. #16
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,896
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: alleged blind sql injection

    Gosh

    I am Soooo dumb, I never realized that those were not the actual Urls of your site.

  7. #17
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,108
    Plugin Contributions
    11

    Default Re: alleged blind sql injection


    Well, I only wondered because the 404 page you mentioned does resolve when using the true URL.

  8. #18

    Default Re: alleged blind sql injection

    Did you ever determine for sure if these are false positives are not? I'm using HP's WebInspect to test mysite (1.37) and it reports "confirmed" not possible like I usually see for Blind SQL Injection. Sample request is posted below. I'm understandibly concerned.
    Attached Images Attached Images  

  9. #19
    Join Date
    Mar 2004
    Posts
    16,042
    Plugin Contributions
    5

    Default Re: alleged blind sql injection

    as long as the cart is 1.3.8 and patches up to date then Yes its a false issue.....


    we have MANY zen cart sites that passed security metrics
    Zen cart PCI compliant Hosting

  10. #20
    Join Date
    Mar 2007
    Posts
    37
    Plugin Contributions
    0

    Default Re: alleged blind sql injection

    Quote Originally Posted by Merlinpa1969 View Post
    as long as the cart is 1.3.8 and patches up to date then Yes its a false issue.....


    we have MANY zen cart sites that passed security metrics
    Running ZenCart Version 1.3.7 with security_patch_v138_20080919.php and got this same blind sql error from security metrics just today. Here is the specific message (domain name obviously altered)

    I've really got no idea where to go from here on fixing this, can someone point me inthe right direction. I *know* I should update to 1.3.8, but it's not something I can take the time to do right now so I'd really like to get this fixed with what I've current got running if possible :)

 

 
Page 2 of 4 FirstFirst 1234 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR