Page 1 of 1
PCI compliance scan SQL Injection warning
Posted: Tue Oct 03, 2017 2:59 pm
by dandersonMLT
I recently ran an automated PCI Compliance scanner on my site and it is reporting SQL injection vulnerability in the SimpleSearch and Search.aspx
The scanner seems to be injecting a waitfor to see if it increases the time for search to return and is reporting that it is increasing the time.
The search methods in search.aspx are closed source in our edition, so I can't really verify if it is doing anything to protect against SQL injection.
Below is a snippet of the threat information from PCI Compliance scan. I am not including everything because I don't want to expose too much information.
THREAT REFERENCE
Summary:
Blind SQL injection vulnerability in ctl00$ctl00$NestedMaster$PageHeader$StoreHeader_H$SimpleSearch$SearchButton parameter to {page url}
Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_sql_blind
Details: When a web application uses user-supplied input parameters
within SQL queries without first checking them for unexpected
characters, it becomes possible for an attacker to
manipulate the query. This type of attack is known as a
SQL injection attack.
Re: PCI compliance scan SQL Injection warning
Posted: Wed Oct 04, 2017 2:51 am
by Katie
Which version of AbleCommerce are you using?
Thanks
Katie
Re: PCI compliance scan SQL Injection warning
Posted: Wed Oct 04, 2017 2:56 am
by dandersonMLT
AbleCommerce GoldR10SR1 (build 8620)
Re: PCI compliance scan SQL Injection warning
Posted: Thu Oct 05, 2017 5:38 am
by Katie
I'm sorry. Is it the WAP or WSP version?
Thanks!
Katie
Re: PCI compliance scan SQL Injection warning
Posted: Thu Oct 05, 2017 6:38 am
by dandersonMLT
WSP
Re: PCI compliance scan SQL Injection warning
Posted: Fri Oct 06, 2017 8:33 am
by Katie
Hi,
Can you open a support ticket please? Just go to
https://www.ablecommerce.com/helpdesk.aspx
If you don't have an account, you can create one.
I need to be able to get you some information in a secure manner. Please reference this forum post.
Thanks
Katie
Re: PCI compliance scan SQL Injection warning
Posted: Fri Oct 06, 2017 8:46 am
by dandersonMLT
Done. Thank you.
Re: PCI compliance scan SQL Injection warning
Posted: Wed Oct 11, 2017 4:21 am
by Katie
Thanks for getting back to me on the patch. For anyone else who might be reading this, the help site was just updated with the official patches here:
http://help.ablecommerce.com/index.htm# ... ailure.htm
Thanks,
Katie
Re: PCI compliance scan SQL Injection warning
Posted: Wed Oct 11, 2017 9:50 am
by jguengerich
Katie,
In the R12 patch, the root directory web.config does not contain the modification described in step 1 of the instructions. I didn't check the R10 or R11 patches.
Re: PCI compliance scan SQL Injection warning
Posted: Wed Oct 11, 2017 10:31 am
by Katie
Hi Jay,
Actually, the Readme.doc has a mistake. I am uploading new versions now. This is the correct information if you've already downloaded.
1) Edit the \web.config
Change from:
Code: Select all
<pages theme="Bootstrap_Responsive" validateRequest="false" enableEventValidation="false" clientIDMode="AutoID">
Change to:
Code: Select all
<pages theme="Bootstrap_Responsive" enableEventValidation="false" clientIDMode="AutoID">
This will be slightly different for the R10 patch, but the included web.config is correct.
Thanks,
Katie
Re: PCI compliance scan SQL Injection warning
Posted: Thu Oct 12, 2017 1:22 am
by jguengerich
Now I get this when I click on the R12 patch link:
Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SqlException (0x80131904): Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.]
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +350
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +156
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +268
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +314
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +204
System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +428
System.Data.SqlClient.SqlConnection.Open() +130
NHibernate.Connection.DriverConnectionProvider.GetConnection() +210
NHibernate.Tool.hbm2ddl.SuppliedConnectionProviderConnectionHelper.Prepare() +27
NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.GetReservedWords(Dialect dialect, IConnectionHelper connectionHelper) +114
NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.Update(ISessionFactory sessionFactory) +130
NHibernate.Impl.SessionFactoryImpl..ctor(Configuration cfg, IMapping mapping, Settings settings, EventListeners listeners) +769
NHibernate.Cfg.Configuration.BuildSessionFactory() +133
AbleLicense.Common.DbSessionManager..cctor() +268
[TypeInitializationException: The type initializer for 'AbleLicense.Common.DbSessionManager' threw an exception.]
AbleLicense.Common.DbSessionManager.get_Instance() +0
AbleLicense.Common.DbSessionModule.OpenSession(Object sender, EventArgs e) +10
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +139
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +91
Re: PCI compliance scan SQL Injection warning
Posted: Thu Oct 12, 2017 1:37 am
by jguengerich
Tried again, the link worked this time.
Can you confirm, according to the readme, the root web.config should NOT have validateRequest="false", but the admin web.config SHOULD have validateRequest="false"?
Re: PCI compliance scan SQL Injection warning
Posted: Thu Oct 12, 2017 2:19 am
by Katie
Yes that is correct.
We shouldn't have validateRequest="false" in root Website/Web.config
We need to have validateRequest="false" in our Website/Admin/Web.config
Thanks
Katie
Re: PCI compliance scan SQL Injection warning
Posted: Thu Oct 12, 2017 2:37 am
by jguengerich
OK, thanks Katie.
Re: PCI compliance scan SQL Injection warning
Posted: Thu Oct 12, 2017 3:34 am
by jmestep
Katie,
I see the links are working now, so you don't need to pm me back.
Re: PCI compliance scan SQL Injection warning
Posted: Thu Oct 12, 2017 3:57 am
by jmestep
Are older versions not vulnerable or are you just not issuing patches?
Thanks
Re: PCI compliance scan SQL Injection warning
Posted: Thu Oct 12, 2017 7:00 am
by Katie
I'm not really sure because every reported case so far has been a result of a failed PCI scan. We patched back to Gold R10 SR1, because it seemed like a logical place to start since that version is PA-DSS certified. However, if anyone needs a patch for a different version, we're happy to assist with that.
Re: PCI compliance scan SQL Injection warning
Posted: Fri Oct 13, 2017 2:15 am
by AbleMods
Is there a way to get the full source changes for this patch for clients who have customized CommerceBuilder?
Re: PCI compliance scan SQL Injection warning
Posted: Fri Oct 13, 2017 2:15 am
by AbleMods
Would be helpful to see an entry about this in the dashboard News Feed as well
Re: PCI compliance scan SQL Injection warning
Posted: Mon Nov 27, 2017 12:11 am
by jmestep
We applied the patch to numerous sites and on some are getting the same types of errors. Here is one from an R11 SR1 site. What do we do?
Exception of type 'System.Web.HttpUnhandledException' was thrown. Stack Trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.category_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Inner Exception: Exception of type 'System.ArgumentException' was thrown. Parameter name: encodedData Inner Exception Stack Trace: at System.Web.Security.MachineKey.Decode(String encodedData, MachineKeyProtection protectionOption) at AbleCommerce.Layouts.Base.Master_Page_PreLoad(Object sender, EventArgs e) at System.EventHandler.Invoke(Object sender, EventArgs e) at System.Web.UI.Page.OnPreLoad(EventArgs e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Thanks
Re: PCI compliance scan SQL Injection warning
Posted: Mon Nov 27, 2017 12:21 am
by Katie
Hello Judy,
On which page(s) do these error happen, or do you see this in the log? I'm also curious whether or not these sites have a machine key set in the web.config?
Thanks
Katie