blind sql injection vulnerability on scan

Question

Any suggestions on how to remediate blind sql injection vulnerability? The page in particular has no SQL at all but the finding says

Using the GET HTTP method, Nessus found that : The following resources may be vulnerable to blind SQL injection (time based) :

"The page parameter of the store.cfm CGI"

store.cfm?country=0&dodaac=N&page=case_lot_dates';SELECT%20pg_sleep(3);--

When I execute the code above, nothing happens but displaying of the site error page. I don't think that I can explain it away as a "false positive". These URL values (country, dodaac, page) are not user input. The values are static. I didn't know whether to try and use urlencodedformat method to eliminate it.

We are using CF9 in production but going to CF11 which is in dev and test. Any suggestions are greatly appreciated. Thanks.

Dave Ferguson · Accepted Answer

What you need to do is make sure that what you are expecting is what you are getting. If that doesn't occur handle it gracefully and not let it just go to an error handler.--Dave

Dave Ferguson · Answer

My guess would be that it is being picked up due to outputting an error handler when the injection string is present.

It doesn't matter if the url vars are user input. The vars are manipulatable by a user so they need to be sanitized when passed in. You should add some validation to the vars to make sure they are what you expect and handle any variants accordingly.

HTH,

--Dave

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded