Hello,
We've just become "non-compliant" with a lot of potential sql injection errors from our able commerce store. This is similar to (but not the same error) : viewtopic.php?f=65&t=19135&p=84341&hili ... ion#p84341, That error is regarding the search string, this one is labeled "Threat ID: web_prog_sql_integer"
THREAT REFERENCE
Summary:
Integer based SQL injection vulnerability in ctl29_TSSM parameter to /./h;if(b)if(!(b?404%3bhttp%3a%2f%2fwww.%3a80%2fh%3bif(b)if(!(b
Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_sql_integer
Details: When a web application uses user-supplied input parameters
within SQL queries without first checking them for unexpected
characters, it becomes possible for an attacker to
manipulate the query. This type of attack is known as a
SQL injection attack.
For example, suppose a web program passes the following
query to the database application:
SELECT * FROM USERS WHERE USERNAME='$user' AND PASSWORD='$pass'
where $user and $pass are variables supplied by the user through a web form.
So if the user were to enter the name "admin" and the password "abc", the query would become:
SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='abc'
and the database would return any existing record where the username is "admin" and the password is "abc", thus authenticating
the user if the password "abc" is correct. Now suppose an attacker were to enter a malformed password such as the following:
' OR 'a'='a
Inserting the malformed password into the query exactly as
it appears above would cause the query to become:
SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='' OR 'a'='a'
The resulting query would return the records where the username
is "admin" and the password is null OR the string 'a' equals 'a', which is always true.
Thus, by manipulating the SQL query, all records are returned from the table
without having known the correct password.
This is just one example of an attack which is possible
using SQL injection. Other forms of attacks could allow
the attacker to gain unauthorized read, write, or delete
access to the database, or to retrieve passwords.
There are also security bypass vulnerabilities which allow for the
SQL Injection PCI compliance
-
- Commander (CMDR)
- Posts: 139
- Joined: Wed Mar 31, 2010 8:59 pm
SQL Injection PCI compliance
Last edited by foodsleuth on Thu Nov 09, 2017 6:04 am, edited 1 time in total.
- jmestep
- AbleCommerce Angel
- Posts: 8164
- Joined: Sun Feb 29, 2004 8:04 pm
- Location: Dayton, OH
- Contact:
Re: SQL Injection PCI compliance
Interested in this- it looks like your search box is not AC search, but Google search?
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
-
- Commander (CMDR)
- Posts: 139
- Joined: Wed Mar 31, 2010 8:59 pm
Re: SQL Injection PCI compliance
Yes, we use Google custom search on our general content pages but everywhere inside able pages we use able search