SQL Injection PCI compliance

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
foodsleuth
Commander (CMDR)
Commander (CMDR)
Posts: 139
Joined: Wed Mar 31, 2010 8:59 pm

SQL Injection PCI compliance

Post by foodsleuth » Mon Nov 06, 2017 9:32 am

Hello,
We've just become "non-compliant" with a lot of potential sql injection errors from our able commerce store. This is similar to (but not the same error) : viewtopic.php?f=65&t=19135&p=84341&hili ... ion#p84341, That error is regarding the search string, this one is labeled "Threat ID: web_prog_sql_integer"




THREAT REFERENCE

Summary:
Integer based SQL injection vulnerability in ctl29_TSSM parameter to /./h;if(b)if(!(b?404%3bhttp%3a%2f%2fwww.%3a80%2fh%3bif(b)if(!(b

Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_sql_integer

Details: When a web application uses user-supplied input parameters
within SQL queries without first checking them for unexpected
characters, it becomes possible for an attacker to
manipulate the query. This type of attack is known as a
SQL injection attack.
For example, suppose a web program passes the following
query to the database application:
SELECT * FROM USERS WHERE USERNAME='$user' AND PASSWORD='$pass'
where $user and $pass are variables supplied by the user through a web form.
So if the user were to enter the name "admin" and the password "abc", the query would become:
SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='abc'
and the database would return any existing record where the username is "admin" and the password is "abc", thus authenticating
the user if the password "abc" is correct. Now suppose an attacker were to enter a malformed password such as the following:
' OR 'a'='a
Inserting the malformed password into the query exactly as
it appears above would cause the query to become:
SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='' OR 'a'='a'
The resulting query would return the records where the username
is "admin" and the password is null OR the string 'a' equals 'a', which is always true.
Thus, by manipulating the SQL query, all records are returned from the table
without having known the correct password.
This is just one example of an attack which is possible
using SQL injection. Other forms of attacks could allow
the attacker to gain unauthorized read, write, or delete
access to the database, or to retrieve passwords.
There are also security bypass vulnerabilities which allow for the
Last edited by foodsleuth on Thu Nov 09, 2017 6:04 am, edited 1 time in total.

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: SQL Injection PCI compliance

Post by jmestep » Mon Nov 06, 2017 10:36 pm

Interested in this- it looks like your search box is not AC search, but Google search?
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

foodsleuth
Commander (CMDR)
Commander (CMDR)
Posts: 139
Joined: Wed Mar 31, 2010 8:59 pm

Re: SQL Injection PCI compliance

Post by foodsleuth » Tue Nov 07, 2017 2:22 am

Yes, we use Google custom search on our general content pages but everywhere inside able pages we use able search

Post Reply