SQL Vulnerability shown by HackerSafe

[Brewhaus]

We had a 'new vulnerability found' alert on our AC site today- MS SQL Database Error Disclosure Vulnerability. Has anyone else run into this? Is it more likely a false error being thrown? My thought is that if the error were truly there, AC would have either patched it already or there would be a number of others hitting the same error.

I believe that I had this same error show up a year or so ago on our other software, but still need to ask if it is possible that the problem exists, and if so what others have done to resolve it. On our other system, we changed the 500;100 error to go to a specific error page, so that the error would not throw any potentially useful information. Is this the best course of action?

[Shopping Cart Admin]

Hello,

Have you followed the security instructions in our PABP installation guide?

Considering we're a dealer for this particular product and we've not had this reported by anyone else, I'm guessing it's something in the way your server is setup. Debug information, custom error messages etc?

[Brewhaus]

This was installed several months back, so I cannot recall what all was read at the time. Do you have a link to the guide that you mentioned? I assume that if we missed a step somewhere along the way, it can still be performed now?

I also have to wonder if this was a false error, as it should have shown up before now if it was there.

[Shopping Cart Admin]

Hello,

A server settings could of been recently changed that could be resulting in the out put of the sql information or potentially some new custom code. Better to research it fully and figure it out for sure!

We recommend that all merchants meet the requirements of the PCI security standard when implementing AbleCommerce. To assist you in this process, we have developed the following instructions:

http://www.ablecommerce.com/ac7pciguide.pdf

Follow the recommendations in the guide to ensure that AbleCommerce is configured as securely as possible, in a PCI compliant manner.

[Brewhaus]

We have not changed anything on the server recently (my opinion- if it ain't broke...). I went through the guide, and we would not be able to bring the server up to PCI compliance because we operate the SQL server on our main box (we operate only one server). However, that should not lead to the potential output of sensitive data.

Everything else appeared to be in check.

[Shopping Cart Admin]

Hello,

We'll I wish I had a dollar for every time someone has told us that nothing has changed, only to find out it had changed .

Typically this is a result of the datasource or database name being shown in an error message. Was there any additional information from Scan Alert that might help in identifying the offending page? They have a lot of data on their website with solutions on the most of the common issues they are reporting.

[Brewhaus]

Actually, I am the only one with access to the server, and in the last day or two have (pre-error) have not altered any files, installed upgrades, etc.

The offending page is CategoryGrid4.aspx. Actually, it shows in the error as:

Path /CategoryGrid4.aspx

Would I be correct in assuming that this is not going to be the version in the Custom folder? I am just wondering, because if so it is not even our actively used file.

There is actually a full detail of the Path, Query, Headers, Body, and Response. I can copy any of it that you would find helpful.

[Shopping Cart Admin]

Hello Rick,

We'll that is strange as that page isn't accessed in a way it should even be 'found' by Scan Alert. I don't see how they could have gotten to the page? Tomorrow I'll get some more brains on what happens if the page is accessed directly and see what we find.

[Shopping Cart Admin]

Hello Rick,

I just tried accessing the categorygrid4.aspx page without any parameters and was re-directed to the home page. It's a page in the root of the installation but it's always masked by our url-rewriting technology, so it's nothing to do with the conlib/custom controls. Please post the full error message MINUS your database name in the error so we can try to figure out how to replicate the error.

[Brewhaus]

I searched, and did not find the DB name anywhere, so hopefully I did not miss it:

URL
Protocol http Port 80 Read Timeout 10000 Method POST Demo
Path /CategoryGrid4.aspx
Query CategoryId=7

Headers Referer=http%3A%2F%2Fwww.hotsaucedepot.com%3A80%2FHot-Sauce-C7.aspx
Cookie=AC7.ASPXANONYMOUS%3Ddk5d7HfmyAEkAAAAYWFkYjIzMjAtMTBlOC00NGQyLWIyODYtMzRkOTE5MjhhYjFi-q-YKYtqq0yKxJnutGAT5HdMyWc1
Cookie=AC7.SESSIONID%3Dw1ebmuyznb32oh20mn4trw55
Content-Type=application%2Fx-www-form-urlencoded

Body __WPPS=s
__EVENTTARGET=0
__EVENTARGUMENT=0
__LASTFOCUS=0
ctl00$wpm$CategoryGrid4$ctl09$HiddenPageIndex=0
ctl00$wpm$CategoryGrid4$ctl02$SearchPhrase=0
ctl00$wpm$CategoryGrid4$ctl02$SearchButton=Search
ctl00$wpm$CategoryGrid4$ctl03$UserCurrency=1
ctl00$wpm$CategoryGrid4$ctl09$SortResults=Name ASC
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl00$Price$VS=PID=45&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl02$Price$VS=PID=44&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl06$Price$VS=PID=49&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl08$Price$VS=PID=47&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl10$Price$VS=PID=48&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl12$Price$VS=PID=218&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl14$Price$VS=PID=219&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl16$Price$VS=PID=221&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl18$Price$VS=PID=212&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl20$Price$VS=PID=232&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl22$Price$VS=PID=214&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl24$Price$VS=PID=215&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl26$Price$VS=PID=220&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl28$Price$VS=PID=430&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl30$Price$VS=PID=431&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl32$Price$VS=PID=429&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl34$Price$VS=PID=360&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl36$Price$VS=PID=359&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl38$Price$VS=PID=447&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl40$Price$VS=PID=422&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl42$Price$VS=PID=103&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl44$Price$VS=PID=104&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl46$Price$VS=PID=92&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl48$Price$VS=PID=94&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl50$Price$VS=PID=97&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl52$Price$VS=PID=90&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl54$Price$VS=PID=96&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl56$Price$VS=PID=95&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl58$Price$VS=PID=91&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl08$UserEmail=0
ctl00$wpm$CategoryGrid4$ctl08$SubscribeButton=Subscribe Now
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl00$Add2Cart$VS=P=45&SALT=q7PwYj
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl02$Add2Cart$VS=P=44&SALT=q7PwYj
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl04$Price$VS=PID=43&OL=&SKP=
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl06$Add2Cart$VS=P=49&SALT=q7PwYj
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl08$Add2Cart$VS=P=47&SALT=q7PwYj
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl10$Add2Cart$VS=P=48&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl12$Add2Cart$VS=P=218&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl14$Add2Cart$VS=P=219&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl16$Add2Cart$VS=P=221&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl18$Add2Cart$VS=P=212&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl20$Add2Cart$VS=P=232&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl22$Add2Cart$VS=P=214&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl24$Add2Cart$VS=P=215&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl26$Add2Cart$VS=P=220&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl28$Add2Cart$VS=P=430&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl30$Add2Cart$VS=P=431&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl32$Add2Cart$VS=P=429&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl34$Add2Cart$VS=P=360&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl36$Add2Cart$VS=P=359&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl38$Add2Cart$VS=P=447&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl40$Add2Cart$VS=P=422&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl42$Add2Cart$VS=P=103&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl44$Add2Cart$VS=P=104&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl46$Add2Cart$VS=P=92&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl48$Add2Cart$VS=P=94&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl50$Add2Cart$VS=P=97&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl52$Add2Cart$VS=P=90&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl54$Add2Cart$x';",)`=P=96&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl56$Add2Cart$VS=P=95&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl58$Add2Cart$VS=P=91&SALT=UPEWKk
ctl00$wpm$CategoryGrid4$ctl09$CatalogNodeList$ctl04$Add2Cart$VS=P=43&SALT=q7PwYj




Response
Show
HTTP/1.1 500 Internal Server Error
Date Mon, 14 Jul 2008 13:23:20 GMT
Server Microsoft-IIS/6.0
X-Powered-By ASP.NET
X-AspNet-Version 2.0.50727
Cache-Control private
Content-Type text/html; charset=utf-8
Content-Length 8028



<html>
<head>
<title>A transport-level error has occurred when receiving results from the server. (provider: Shared Memory Provider, error: 0 - The system cannot open the file.)</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>A transport-level error has occurred when receiving results from the server. (provider: Shared Memory Provider, error: 0 - The system cannot open the file.)</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Data.SqlClient.SqlException: A transport-level error has occurred when receiving results from the server. (provider: Shared Memory Provider, error: 0 - The system cannot open the file.)<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[SqlException (0x80131904): A transport-level error has occurred when receiving results from the server. (provider: Shared Memory Provider, error: 0 - The system cannot open the file.)]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +857466
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +735078
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +188
System.Data.SqlClient.TdsParserStateObject.ReadSniError(TdsParserStateObject stateObj, UInt32 error) +556
System.Data.SqlClient.TdsParserStateObject.ReadSni(DbAsyncResult asyncResult, TdsParserStateObject stateObj) +164
System.Data.SqlClient.TdsParserStateObject.ReadPacket(Int32 bytesExpected) +34
System.Data.SqlClient.TdsParserStateObject.ReadBuffer() +30
System.Data.SqlClient.TdsParserStateObject.ReadByte() +17
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +59
System.Data.SqlClient.SqlDataReader.ConsumeMetaData() +31
System.Data.SqlClient.SqlDataReader.get_MetaData() +62
System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +297
System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +886
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +132
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +32
System.Data.SqlClient.SqlCommand.ExecuteScalar() +137
Microsoft.Practices.EnterpriseLibrary.Data.Database.DoExecuteScalar(DbCommand command) +132
Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteScalar(DbCommand command) +140
CommerceBuilder.Stores.BannedIPDataSource.IsBanned(String ip) +339
CommerceBuilder.Services.AbleCommerceHttpModule.c(Object A_0, EventArgs A_1) +476
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.42

</font>

</body>
</html>
<!--
[SqlException]: A transport-level error has occurred when receiving results from the server. (provider: Shared Memory Provider, error: 0 - The system cannot open the file.)
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
at System.Data.SqlClient.TdsParserStateObject.ReadSniError(TdsParserStateObject stateObj, UInt32 error)
at System.Data.SqlClient.TdsParserStateObject.ReadSni(DbAsyncResult asyncResult, TdsParserStateObject stateObj)
at System.Data.SqlClient.TdsParserStateObject.ReadPacket(Int32 bytesExpected)
at System.Data.SqlClient.TdsParserStateObject.ReadBuffer()
at System.Data.SqlClient.TdsParserStateObject.ReadByte()
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
at System.Data.SqlClient.SqlDataReader.get_MetaData()
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteScalar()
at Microsoft.Practices.EnterpriseLibrary.Data.Database.DoExecuteScalar(DbCommand command)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteScalar(DbCommand command)
at CommerceBuilder.Stores.BannedIPDataSource.IsBanned(String ip)
at CommerceBuilder.Services.AbleCommerceHttpModule.c(Object A_0, EventArgs A_1)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
--><!--
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.-->

[jmestep]

What is your error setting in the web.config file? Sometimes if you have
<customErrors mode="Off"/>
and/or
<compilation debug="true" strict="false" explicit="false"> (debug set to true)
that is enough for ScanAlert to generate an error for a vulnerability.

[Brewhaus]

I have never looked at this file before. The settings are:

<customErrors mode="Off"/>

<compilation debug="false" strict="false" explicit="false">

Should I change customErrors to "On"?

[jmestep]

Yes, change custom errors to On. I had to do that on an Able5.5 store that had a Scan Alert vulnerability. With customer errors off, the page displays too much error information and that is what Scan Alert is probably picking up.
Also, turn trace off in the web.config if it is on.

[Brewhaus]

As expected, the vulnerability disappeared after today's scan. But I still turned the custom errors on, and checked but trace was off (I assume that 'false' is off).

Thanks for the help!