PCI compliance scan SQL Injection warning

[dandersonMLT]

I recently ran an automated PCI Compliance scanner on my site and it is reporting SQL injection vulnerability in the SimpleSearch and Search.aspx
The scanner seems to be injecting a waitfor to see if it increases the time for search to return and is reporting that it is increasing the time.

The search methods in search.aspx are closed source in our edition, so I can't really verify if it is doing anything to protect against SQL injection.

Below is a snippet of the threat information from PCI Compliance scan. I am not including everything because I don't want to expose too much information.

THREAT REFERENCE

Summary:
Blind SQL injection vulnerability in ctl00$ctl00$NestedMaster$PageHeader$StoreHeader_H$SimpleSearch$SearchButton parameter to {page url}

Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_sql_blind

Details: When a web application uses user-supplied input parameters
within SQL queries without first checking them for unexpected
characters, it becomes possible for an attacker to
manipulate the query. This type of attack is known as a
SQL injection attack.

[Katie]

Which version of AbleCommerce are you using?

Thanks
Katie

[dandersonMLT]

AbleCommerce GoldR10SR1 (build 8620)

[Katie]

I'm sorry. Is it the WAP or WSP version?

Thanks!
Katie

[dandersonMLT]

WSP

[Katie]

Hi,

Can you open a support ticket please? Just go to https://www.ablecommerce.com/helpdesk.aspx
If you don't have an account, you can create one.

I need to be able to get you some information in a secure manner. Please reference this forum post.

Thanks
Katie

[dandersonMLT]

Done. Thank you.

[Katie]

Thanks for getting back to me on the patch. For anyone else who might be reading this, the help site was just updated with the official patches here:

http://help.ablecommerce.com/index.htm# ... ailure.htm

Thanks,
Katie

[jguengerich]

Katie,

In the R12 patch, the root directory web.config does not contain the modification described in step 1 of the instructions. I didn't check the R10 or R11 patches.

[Katie]

Hi Jay,

Actually, the Readme.doc has a mistake. I am uploading new versions now. This is the correct information if you've already downloaded.

1) Edit the \web.config

Change from:

Code: Select all

<pages theme="Bootstrap_Responsive" validateRequest="false" enableEventValidation="false" clientIDMode="AutoID">

Change to:

Code: Select all

<pages theme="Bootstrap_Responsive" enableEventValidation="false" clientIDMode="AutoID">

This will be slightly different for the R10 patch, but the included web.config is correct.

Thanks,
Katie

[jguengerich]

Now I get this when I click on the R12 patch link:

Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[SqlException (0x80131904): Cannot open database "ablecommerce_com_gold2" requested by the login. The login failed.
Login failed for user 'ablecommerce_user6'.]
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +350
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +156
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +268
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +314
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +204
System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +428
System.Data.SqlClient.SqlConnection.Open() +130
NHibernate.Connection.DriverConnectionProvider.GetConnection() +210
NHibernate.Tool.hbm2ddl.SuppliedConnectionProviderConnectionHelper.Prepare() +27
NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.GetReservedWords(Dialect dialect, IConnectionHelper connectionHelper) +114
NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.Update(ISessionFactory sessionFactory) +130
NHibernate.Impl.SessionFactoryImpl..ctor(Configuration cfg, IMapping mapping, Settings settings, EventListeners listeners) +769
NHibernate.Cfg.Configuration.BuildSessionFactory() +133
AbleLicense.Common.DbSessionManager..cctor() +268

[TypeInitializationException: The type initializer for 'AbleLicense.Common.DbSessionManager' threw an exception.]
AbleLicense.Common.DbSessionManager.get_Instance() +0
AbleLicense.Common.DbSessionModule.OpenSession(Object sender, EventArgs e) +10
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +139
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +91

[jguengerich]

Tried again, the link worked this time.

Can you confirm, according to the readme, the root web.config should NOT have validateRequest="false", but the admin web.config SHOULD have validateRequest="false"?

[Katie]

Yes that is correct.

We shouldn't have validateRequest="false" in root Website/Web.config
We need to have validateRequest="false" in our Website/Admin/Web.config

Thanks
Katie

[jguengerich]

OK, thanks Katie.

[jmestep]

Katie,
I see the links are working now, so you don't need to pm me back.

[jmestep]

Are older versions not vulnerable or are you just not issuing patches?
Thanks

[Katie]

I'm not really sure because every reported case so far has been a result of a failed PCI scan. We patched back to Gold R10 SR1, because it seemed like a logical place to start since that version is PA-DSS certified. However, if anyone needs a patch for a different version, we're happy to assist with that.

[AbleMods]

Is there a way to get the full source changes for this patch for clients who have customized CommerceBuilder?

[AbleMods]

Would be helpful to see an entry about this in the dashboard News Feed as well

[jmestep]

We applied the patch to numerous sites and on some are getting the same types of errors. Here is one from an R11 SR1 site. What do we do?

Exception of type 'System.Web.HttpUnhandledException' was thrown. Stack Trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.category_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Inner Exception: Exception of type 'System.ArgumentException' was thrown. Parameter name: encodedData Inner Exception Stack Trace: at System.Web.Security.MachineKey.Decode(String encodedData, MachineKeyProtection protectionOption) at AbleCommerce.Layouts.Base.Master_Page_PreLoad(Object sender, EventArgs e) at System.EventHandler.Invoke(Object sender, EventArgs e) at System.Web.UI.Page.OnPreLoad(EventArgs e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Thanks

[Katie]

Hello Judy,

On which page(s) do these error happen, or do you see this in the log? I'm also curious whether or not these sites have a machine key set in the web.config?

Thanks
Katie