PCI compliance scan SQL Injection warning

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.

PCI compliance scan SQL Injection warning

Postby dandersonMLT » Tue Oct 03, 2017 2:59 pm

I recently ran an automated PCI Compliance scanner on my site and it is reporting SQL injection vulnerability in the SimpleSearch and Search.aspx
The scanner seems to be injecting a waitfor to see if it increases the time for search to return and is reporting that it is increasing the time.

The search methods in search.aspx are closed source in our edition, so I can't really verify if it is doing anything to protect against SQL injection.

Below is a snippet of the threat information from PCI Compliance scan. I am not including everything because I don't want to expose too much information.

THREAT REFERENCE

Summary:
Blind SQL injection vulnerability in ctl00$ctl00$NestedMaster$PageHeader$StoreHeader_H$SimpleSearch$SearchButton parameter to {page url}

Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_sql_blind

Details: When a web application uses user-supplied input parameters
within SQL queries without first checking them for unexpected
characters, it becomes possible for an attacker to
manipulate the query. This type of attack is known as a
SQL injection attack.
dandersonMLT
Lieutenant (LT)
Lieutenant (LT)
 
Posts: 66
Joined: Sun Oct 04, 2015 5:45 pm

Re: PCI compliance scan SQL Injection warning

Postby Katie » Wed Oct 04, 2017 2:51 am

Which version of AbleCommerce are you using?

Thanks
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
 
Posts: 2462
Joined: Tue Dec 02, 2003 1:54 am

Re: PCI compliance scan SQL Injection warning

Postby dandersonMLT » Wed Oct 04, 2017 2:56 am

AbleCommerce GoldR10SR1 (build 8620)
dandersonMLT
Lieutenant (LT)
Lieutenant (LT)
 
Posts: 66
Joined: Sun Oct 04, 2015 5:45 pm

Re: PCI compliance scan SQL Injection warning

Postby Katie » Thu Oct 05, 2017 5:38 am

I'm sorry. Is it the WAP or WSP version?

Thanks!
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
 
Posts: 2462
Joined: Tue Dec 02, 2003 1:54 am

Re: PCI compliance scan SQL Injection warning

Postby dandersonMLT » Thu Oct 05, 2017 6:38 am

WSP
dandersonMLT
Lieutenant (LT)
Lieutenant (LT)
 
Posts: 66
Joined: Sun Oct 04, 2015 5:45 pm

Re: PCI compliance scan SQL Injection warning

Postby Katie » Fri Oct 06, 2017 8:33 am

Hi,

Can you open a support ticket please? Just go to https://www.ablecommerce.com/helpdesk.aspx
If you don't have an account, you can create one.

I need to be able to get you some information in a secure manner. Please reference this forum post.

Thanks
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
 
Posts: 2462
Joined: Tue Dec 02, 2003 1:54 am

Re: PCI compliance scan SQL Injection warning

Postby dandersonMLT » Fri Oct 06, 2017 8:46 am

Done. Thank you.
dandersonMLT
Lieutenant (LT)
Lieutenant (LT)
 
Posts: 66
Joined: Sun Oct 04, 2015 5:45 pm

Re: PCI compliance scan SQL Injection warning

Postby Katie » Wed Oct 11, 2017 4:21 am

Thanks for getting back to me on the patch. For anyone else who might be reading this, the help site was just updated with the official patches here:

http://help.ablecommerce.com/index.htm#upgrades/acgold/path-based_cross-site_scripting_(xss)_failure.htm

Thanks,
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
 
Posts: 2462
Joined: Tue Dec 02, 2003 1:54 am

Re: PCI compliance scan SQL Injection warning

Postby jguengerich » Wed Oct 11, 2017 9:50 am

Katie,

In the R12 patch, the root directory web.config does not contain the modification described in step 1 of the instructions. I didn't check the R10 or R11 patches.
Jay
jguengerich
Captain (CAPT)
Captain (CAPT)
 
Posts: 360
Joined: Tue May 07, 2013 1:59 pm

Re: PCI compliance scan SQL Injection warning

Postby Katie » Wed Oct 11, 2017 10:31 am

Hi Jay,

Actually, the Readme.doc has a mistake. I am uploading new versions now. This is the correct information if you've already downloaded.

1) Edit the \web.config

Change from:

Code: Select all
<pages theme="Bootstrap_Responsive" validateRequest="false" enableEventValidation="false" clientIDMode="AutoID">


Change to:

Code: Select all
<pages theme="Bootstrap_Responsive" enableEventValidation="false" clientIDMode="AutoID">


This will be slightly different for the R10 patch, but the included web.config is correct.

Thanks,
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
 
Posts: 2462
Joined: Tue Dec 02, 2003 1:54 am

Re: PCI compliance scan SQL Injection warning

Postby jguengerich » Thu Oct 12, 2017 1:22 am

Now I get this when I click on the R12 patch link:
Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[SqlException (0x80131904): Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.]
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +350
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +156
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +268
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +314
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +204
System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +428
System.Data.SqlClient.SqlConnection.Open() +130
NHibernate.Connection.DriverConnectionProvider.GetConnection() +210
NHibernate.Tool.hbm2ddl.SuppliedConnectionProviderConnectionHelper.Prepare() +27
NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.GetReservedWords(Dialect dialect, IConnectionHelper connectionHelper) +114
NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.Update(ISessionFactory sessionFactory) +130
NHibernate.Impl.SessionFactoryImpl..ctor(Configuration cfg, IMapping mapping, Settings settings, EventListeners listeners) +769
NHibernate.Cfg.Configuration.BuildSessionFactory() +133
AbleLicense.Common.DbSessionManager..cctor() +268

[TypeInitializationException: The type initializer for 'AbleLicense.Common.DbSessionManager' threw an exception.]
AbleLicense.Common.DbSessionManager.get_Instance() +0
AbleLicense.Common.DbSessionModule.OpenSession(Object sender, EventArgs e) +10
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +139
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +91
Jay
jguengerich
Captain (CAPT)
Captain (CAPT)
 
Posts: 360
Joined: Tue May 07, 2013 1:59 pm

Re: PCI compliance scan SQL Injection warning

Postby jguengerich » Thu Oct 12, 2017 1:37 am

Tried again, the link worked this time.

Can you confirm, according to the readme, the root web.config should NOT have validateRequest="false", but the admin web.config SHOULD have validateRequest="false"?
Jay
jguengerich
Captain (CAPT)
Captain (CAPT)
 
Posts: 360
Joined: Tue May 07, 2013 1:59 pm

Re: PCI compliance scan SQL Injection warning

Postby Katie » Thu Oct 12, 2017 2:19 am

Yes that is correct.

We shouldn't have validateRequest="false" in root Website/Web.config
We need to have validateRequest="false" in our Website/Admin/Web.config

Thanks
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
 
Posts: 2462
Joined: Tue Dec 02, 2003 1:54 am

Re: PCI compliance scan SQL Injection warning

Postby jguengerich » Thu Oct 12, 2017 2:37 am

OK, thanks Katie.
Jay
jguengerich
Captain (CAPT)
Captain (CAPT)
 
Posts: 360
Joined: Tue May 07, 2013 1:59 pm

Re: PCI compliance scan SQL Injection warning

Postby jmestep » Thu Oct 12, 2017 3:34 am

Katie,
I see the links are working now, so you don't need to pm me back.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
User avatar
jmestep
AbleCommerce Angel
 
Posts: 8091
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH

Re: PCI compliance scan SQL Injection warning

Postby jmestep » Thu Oct 12, 2017 3:57 am

Are older versions not vulnerable or are you just not issuing patches?
Thanks
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
User avatar
jmestep
AbleCommerce Angel
 
Posts: 8091
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH

Re: PCI compliance scan SQL Injection warning

Postby Katie » Thu Oct 12, 2017 7:00 am

I'm not really sure because every reported case so far has been a result of a failed PCI scan. We patched back to Gold R10 SR1, because it seemed like a logical place to start since that version is PA-DSS certified. However, if anyone needs a patch for a different version, we're happy to assist with that.
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
 
Posts: 2462
Joined: Tue Dec 02, 2003 1:54 am

Re: PCI compliance scan SQL Injection warning

Postby AbleMods » Fri Oct 13, 2017 2:15 am

Is there a way to get the full source changes for this patch for clients who have customized CommerceBuilder?
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
User avatar
AbleMods
Master Yoda
Master Yoda
 
Posts: 5088
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: PCI compliance scan SQL Injection warning

Postby AbleMods » Fri Oct 13, 2017 2:15 am

Would be helpful to see an entry about this in the dashboard News Feed as well
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
User avatar
AbleMods
Master Yoda
Master Yoda
 
Posts: 5088
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA


Return to AbleCommerce GOLD

Who is online

Users browsing this forum: No registered users and 2 guests

cron