Copy link to clipboard
Copied
Any suggestions on how to remediate blind sql injection vulnerability? The page in particular has no SQL at all but the finding says
Using the GET HTTP method, Nessus found that : The following resources may be vulnerable to blind SQL injection (time based) :
"The page parameter of the store.cfm CGI"
store.cfm?country=0&dodaac=N&page=case_lot_dates';SELECT%20pg_sleep(3);--
When I execute the code above, nothing happens but displaying of the site error page. I don't think that I can explain it away as a "false positive". These URL values (country, dodaac, page) are not user input. The values are static. I didn't know whether to try and use urlencodedformat method to eliminate it.
We are using CF9 in production but going to CF11 which is in dev and test. Any suggestions are greatly appreciated. Thanks.
What you need to do is make sure that what you are expecting is what you are getting. If that doesn't occur handle it gracefully and not let it just go to an error handler.
--Dave
Copy link to clipboard
Copied
My guess would be that it is being picked up due to outputting an error handler when the injection string is present.
It doesn't matter if the url vars are user input. The vars are manipulatable by a user so they need to be sanitized when passed in. You should add some validation to the vars to make sure they are what you expect and handle any variants accordingly.
HTH,
--Dave
Copy link to clipboard
Copied
Dave, that makes sense. Will any of the CF tags do the sanitizing for me so that I can simply wrap the URL vars with it?
Copy link to clipboard
Copied
What you need to do is make sure that what you are expecting is what you are getting. If that doesn't occur handle it gracefully and not let it just go to an error handler.
--Dave