PCI compliance scan SQL Injection warning

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
dandersonMLT
Lieutenant Commander (LCDR)
Lieutenant Commander (LCDR)
Posts: 95
Joined: Sun Oct 04, 2015 5:45 pm

PCI compliance scan SQL Injection warning

Post by dandersonMLT » Tue Oct 03, 2017 2:59 pm

I recently ran an automated PCI Compliance scanner on my site and it is reporting SQL injection vulnerability in the SimpleSearch and Search.aspx
The scanner seems to be injecting a waitfor to see if it increases the time for search to return and is reporting that it is increasing the time.

The search methods in search.aspx are closed source in our edition, so I can't really verify if it is doing anything to protect against SQL injection.

Below is a snippet of the threat information from PCI Compliance scan. I am not including everything because I don't want to expose too much information.
THREAT REFERENCE

Summary:
Blind SQL injection vulnerability in ctl00$ctl00$NestedMaster$PageHeader$StoreHeader_H$SimpleSearch$SearchButton parameter to {page url}

Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_sql_blind

Details: When a web application uses user-supplied input parameters
within SQL queries without first checking them for unexpected
characters, it becomes possible for an attacker to
manipulate the query. This type of attack is known as a
SQL injection attack.

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: PCI compliance scan SQL Injection warning

Post by Katie » Wed Oct 04, 2017 2:51 am

Which version of AbleCommerce are you using?

Thanks
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

dandersonMLT
Lieutenant Commander (LCDR)
Lieutenant Commander (LCDR)
Posts: 95
Joined: Sun Oct 04, 2015 5:45 pm

Re: PCI compliance scan SQL Injection warning

Post by dandersonMLT » Wed Oct 04, 2017 2:56 am

AbleCommerce GoldR10SR1 (build 8620)

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: PCI compliance scan SQL Injection warning

Post by Katie » Thu Oct 05, 2017 5:38 am

I'm sorry. Is it the WAP or WSP version?

Thanks!
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

dandersonMLT
Lieutenant Commander (LCDR)
Lieutenant Commander (LCDR)
Posts: 95
Joined: Sun Oct 04, 2015 5:45 pm

Re: PCI compliance scan SQL Injection warning

Post by dandersonMLT » Thu Oct 05, 2017 6:38 am

WSP

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: PCI compliance scan SQL Injection warning

Post by Katie » Fri Oct 06, 2017 8:33 am

Hi,

Can you open a support ticket please? Just go to https://www.ablecommerce.com/helpdesk.aspx
If you don't have an account, you can create one.

I need to be able to get you some information in a secure manner. Please reference this forum post.

Thanks
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

dandersonMLT
Lieutenant Commander (LCDR)
Lieutenant Commander (LCDR)
Posts: 95
Joined: Sun Oct 04, 2015 5:45 pm

Re: PCI compliance scan SQL Injection warning

Post by dandersonMLT » Fri Oct 06, 2017 8:46 am

Done. Thank you.

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: PCI compliance scan SQL Injection warning

Post by Katie » Wed Oct 11, 2017 4:21 am

Thanks for getting back to me on the patch. For anyone else who might be reading this, the help site was just updated with the official patches here:

http://help.ablecommerce.com/index.htm# ... ailure.htm

Thanks,
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: PCI compliance scan SQL Injection warning

Post by jguengerich » Wed Oct 11, 2017 9:50 am

Katie,

In the R12 patch, the root directory web.config does not contain the modification described in step 1 of the instructions. I didn't check the R10 or R11 patches.
Jay

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: PCI compliance scan SQL Injection warning

Post by Katie » Wed Oct 11, 2017 10:31 am

Hi Jay,

Actually, the Readme.doc has a mistake. I am uploading new versions now. This is the correct information if you've already downloaded.

1) Edit the \web.config

Change from:

Code: Select all

<pages theme="Bootstrap_Responsive" validateRequest="false" enableEventValidation="false" clientIDMode="AutoID">
Change to:

Code: Select all

<pages theme="Bootstrap_Responsive" enableEventValidation="false" clientIDMode="AutoID">
This will be slightly different for the R10 patch, but the included web.config is correct.

Thanks,
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: PCI compliance scan SQL Injection warning

Post by jguengerich » Thu Oct 12, 2017 1:22 am

Now I get this when I click on the R12 patch link:
Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[SqlException (0x80131904): Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.]
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +350
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +156
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +268
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +314
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +204
System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +428
System.Data.SqlClient.SqlConnection.Open() +130
NHibernate.Connection.DriverConnectionProvider.GetConnection() +210
NHibernate.Tool.hbm2ddl.SuppliedConnectionProviderConnectionHelper.Prepare() +27
NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.GetReservedWords(Dialect dialect, IConnectionHelper connectionHelper) +114
NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.Update(ISessionFactory sessionFactory) +130
NHibernate.Impl.SessionFactoryImpl..ctor(Configuration cfg, IMapping mapping, Settings settings, EventListeners listeners) +769
NHibernate.Cfg.Configuration.BuildSessionFactory() +133
AbleLicense.Common.DbSessionManager..cctor() +268

[TypeInitializationException: The type initializer for 'AbleLicense.Common.DbSessionManager' threw an exception.]
AbleLicense.Common.DbSessionManager.get_Instance() +0
AbleLicense.Common.DbSessionModule.OpenSession(Object sender, EventArgs e) +10
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +139
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +91
Jay

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: PCI compliance scan SQL Injection warning

Post by jguengerich » Thu Oct 12, 2017 1:37 am

Tried again, the link worked this time.

Can you confirm, according to the readme, the root web.config should NOT have validateRequest="false", but the admin web.config SHOULD have validateRequest="false"?
Jay

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: PCI compliance scan SQL Injection warning

Post by Katie » Thu Oct 12, 2017 2:19 am

Yes that is correct.

We shouldn't have validateRequest="false" in root Website/Web.config
We need to have validateRequest="false" in our Website/Admin/Web.config

Thanks
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: PCI compliance scan SQL Injection warning

Post by jguengerich » Thu Oct 12, 2017 2:37 am

OK, thanks Katie.
Jay

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: PCI compliance scan SQL Injection warning

Post by jmestep » Thu Oct 12, 2017 3:34 am

Katie,
I see the links are working now, so you don't need to pm me back.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: PCI compliance scan SQL Injection warning

Post by jmestep » Thu Oct 12, 2017 3:57 am

Are older versions not vulnerable or are you just not issuing patches?
Thanks
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: PCI compliance scan SQL Injection warning

Post by Katie » Thu Oct 12, 2017 7:00 am

I'm not really sure because every reported case so far has been a result of a failed PCI scan. We patched back to Gold R10 SR1, because it seemed like a logical place to start since that version is PA-DSS certified. However, if anyone needs a patch for a different version, we're happy to assist with that.
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: PCI compliance scan SQL Injection warning

Post by AbleMods » Fri Oct 13, 2017 2:15 am

Is there a way to get the full source changes for this patch for clients who have customized CommerceBuilder?
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: PCI compliance scan SQL Injection warning

Post by AbleMods » Fri Oct 13, 2017 2:15 am

Would be helpful to see an entry about this in the dashboard News Feed as well
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: PCI compliance scan SQL Injection warning

Post by jmestep » Mon Nov 27, 2017 12:11 am

We applied the patch to numerous sites and on some are getting the same types of errors. Here is one from an R11 SR1 site. What do we do?
Exception of type 'System.Web.HttpUnhandledException' was thrown. Stack Trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.category_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Inner Exception: Exception of type 'System.ArgumentException' was thrown. Parameter name: encodedData Inner Exception Stack Trace: at System.Web.Security.MachineKey.Decode(String encodedData, MachineKeyProtection protectionOption) at AbleCommerce.Layouts.Base.Master_Page_PreLoad(Object sender, EventArgs e) at System.EventHandler.Invoke(Object sender, EventArgs e) at System.Web.UI.Page.OnPreLoad(EventArgs e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Thanks
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: PCI compliance scan SQL Injection warning

Post by Katie » Mon Nov 27, 2017 12:21 am

Hello Judy,

On which page(s) do these error happen, or do you see this in the log? I'm also curious whether or not these sites have a machine key set in the web.config?

Thanks
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

Post Reply