McAfee took the seal off my website because they say I have a Vulnerability.
The page they pointed out produced this:
[[ConLib:Custom/ProdList]] Unclosed quotation mark after the character string ';",)` AND VisibilityId=0 ORDER BY name ASC'.
I'm guessing it's from this line of code from a custom page I made:
ProductCollection productList = ProductDataSource.LoadForCriteria(
"ManufacturerId=" + Request.QueryString["ID"] + " AND VisibilityId=0", "name ASC");
Is this a real threat or just one falsely flagged by McAfee?
McAfee Vulnerability ??
-
Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: McAfee Vulnerability ??
Very real threat. What you are doing is insecure. You are passing unfiltered querystring data into a sql query.
Do that instead, ASAP.
Code: Select all
ManufacturerId=" + AlwaysConvert.ToInt(Request.QueryString["ID"]) + " AND VisibilityId=0", "name ASC");Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan
.comIf I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Re: McAfee Vulnerability ??
Thanks
Originally I was thinking along the same lines for a fix, like doing something like this:
int ID = (int)Request.QueryString["ID"];
.......
but your way does the trick.
Originally I was thinking along the same lines for a fix, like doing something like this:
int ID = (int)Request.QueryString["ID"];
.......
but your way does the trick.
-
Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: McAfee Vulnerability ??
I think your code may cause a crash if it can't cast the value into integer.. any time you take input from the query string assume someone is going to try to put bad data into it. The always convert function attempts a conversion to int. If it can't convert it to int, it returns a 0 without a crash.Mike718NY wrote:Thanks
Originally I was thinking along the same lines for a fix, like doing something like this:
int ID = (int)Request.QueryString["ID"];
.......
but your way does the trick.
Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan
.comIf I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Re: McAfee Vulnerability ??
I'm getting the message:
The name 'AlwaysConvert' does not exist in the current context
Do I need to reference another AC assembly?
All I have now is:
using CommerceBuilder.Products;
The name 'AlwaysConvert' does not exist in the current context
Do I need to reference another AC assembly?
All I have now is:
using CommerceBuilder.Products;
-
Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: McAfee Vulnerability ??
Either CommerceBuilder.Utility or CommerceBuilder.Common... can't remember which off hand.
Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan
.comIf I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Re: McAfee Vulnerability ??
CommerceBuilder.Utility
thanks
thanks