cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

blind sql injection vulnerability on scan

ronboy30
Explorer ,
Jun 30, 2015 Jun 30, 2015

Copy link to clipboard

Copied

Any suggestions on how to remediate blind sql injection vulnerability?  The page in particular has no SQL at all but the finding says

Using the GET HTTP method, Nessus found that : The following resources may be vulnerable to blind SQL injection (time based) :

"The page parameter of the store.cfm CGI"

store.cfm?country=0&dodaac=N&page=case_lot_dates';SELECT%20pg_sleep(3);--

When I execute the code above, nothing happens but displaying of the site error page.  I don't think that I can explain it away as a "false positive".  These URL values (country, dodaac, page) are not user input.  The values are static.  I didn't know whether to try and use urlencodedformat method to eliminate it.

We are using CF9 in production but going to CF11 which is in dev and test.  Any suggestions are greatly appreciated.  Thanks.

Views

551

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Dave Ferguson
Engaged , Jun 30, 2015 Jun 30, 2015

What you need to do is make sure that what you are expecting is what you are getting.  If that doesn't occur handle it gracefully and not let it just go to an error handler.

--Dave

Votes

Translate

Translate
replies 3 Replies 3
latest latest Jump to latest reply
Dave Ferguson
Engaged ,
Jun 30, 2015 Jun 30, 2015

Copy link to clipboard

Copied

My guess would be that it is being picked up due to outputting an error handler when the injection string is present. 

It doesn't matter if the url vars are user input.  The vars are manipulatable by a user so they need to be sanitized when passed in.  You should add some validation to the vars to make sure they are what you expect and handle any variants accordingly.

HTH,

--Dave

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ronboy30
Explorer ,
Jun 30, 2015 Jun 30, 2015

Copy link to clipboard

Copied

In Response To Dave Ferguson

Dave, that makes sense.  Will any of the CF tags do the sanitizing for me so that I can simply wrap the URL vars with it? 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Ferguson
Engaged ,
Jun 30, 2015 Jun 30, 2015

Copy link to clipboard

Copied

LATEST
In Response To ronboy30

What you need to do is make sure that what you are expecting is what you are getting.  If that doesn't occur handle it gracefully and not let it just go to an error handler.

--Dave

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices