Highlighted

blind sql injection vulnerability on scan

Explorer ,
Jun 30, 2015

Copy link to clipboard

Copied

Any suggestions on how to remediate blind sql injection vulnerability?  The page in particular has no SQL at all but the finding says

Using the GET HTTP method, Nessus found that : The following resources may be vulnerable to blind SQL injection (time based) :

"The page parameter of the store.cfm CGI"

store.cfm?country=0&dodaac=N&page=case_lot_dates';SELECT%20pg_sleep(3);--

When I execute the code above, nothing happens but displaying of the site error page.  I don't think that I can explain it away as a "false positive".  These URL values (country, dodaac, page) are not user input.  The values are static.  I didn't know whether to try and use urlencodedformat method to eliminate it.

We are using CF9 in production but going to CF11 which is in dev and test.  Any suggestions are greatly appreciated.  Thanks.

What you need to do is make sure that what you are expecting is what you are getting.  If that doesn't occur handle it gracefully and not let it just go to an error handler.

--Dave

Views

365

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

blind sql injection vulnerability on scan

Explorer ,
Jun 30, 2015

Copy link to clipboard

Copied

Any suggestions on how to remediate blind sql injection vulnerability?  The page in particular has no SQL at all but the finding says

Using the GET HTTP method, Nessus found that : The following resources may be vulnerable to blind SQL injection (time based) :

"The page parameter of the store.cfm CGI"

store.cfm?country=0&dodaac=N&page=case_lot_dates';SELECT%20pg_sleep(3);--

When I execute the code above, nothing happens but displaying of the site error page.  I don't think that I can explain it away as a "false positive".  These URL values (country, dodaac, page) are not user input.  The values are static.  I didn't know whether to try and use urlencodedformat method to eliminate it.

We are using CF9 in production but going to CF11 which is in dev and test.  Any suggestions are greatly appreciated.  Thanks.

What you need to do is make sure that what you are expecting is what you are getting.  If that doesn't occur handle it gracefully and not let it just go to an error handler.

--Dave

Views

366

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jun 30, 2015 0
Engaged ,
Jun 30, 2015

Copy link to clipboard

Copied

My guess would be that it is being picked up due to outputting an error handler when the injection string is present. 

It doesn't matter if the url vars are user input.  The vars are manipulatable by a user so they need to be sanitized when passed in.  You should add some validation to the vars to make sure they are what you expect and handle any variants accordingly.

HTH,

--Dave

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 30, 2015 0
Explorer ,
Jun 30, 2015

Copy link to clipboard

Copied

Dave, that makes sense.  Will any of the CF tags do the sanitizing for me so that I can simply wrap the URL vars with it? 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 30, 2015 0
Engaged ,
Jun 30, 2015

Copy link to clipboard

Copied

What you need to do is make sure that what you are expecting is what you are getting.  If that doesn't occur handle it gracefully and not let it just go to an error handler.

--Dave

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 30, 2015 0