VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Customization
 McAfee Secure
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

jinesh
VP-ASP New User

141 Posts

Posted - November 02 2009 :  23:45:29  Show Profile  Reply with Quote
I was trying to get a McAfee Secure certificate for my shopping cart.
They had a scan on my site, and told me to fix 3 critical errors.
Port First Detected Category
80 30-OCT-2009 11:50 Database
Protocol Fix Difficulty Impact
HTTP Medium SQL Injection

How can i Fix it?


Jinesh

jinesh
VP-ASP New User

141 Posts

Posted - November 03 2009 :  00:21:31  Show Profile  Reply with Quote
Port ---- First Detected ---- Category
80 ---- 30-OCT-2009 11:50 ---- Database
Protocol ---- Fix Difficulty ---- Impact
HTTP ---- Medium ---- SQL Injection


Jinesh
Go to Top of Page

support
Administrator

4266 Posts

Posted - November 03 2009 :  00:49:00  Show Profile  Visit support's Homepage  Reply with Quote
Hi Jinesh,

You need to ensure you have the latest patches applied to your site.

Also, any custom code you have had implemented needs to cleanse any calls to the database to ensure no injections can be made by hackers.

Thanks

Cam
VPASP Support
Go to Top of Page

jinesh
VP-ASP New User

141 Posts

Posted - November 03 2009 :  23:31:33  Show Profile  Reply with Quote
I have the latest patch of 6.50 for my site.
but still it have the error
MS SQL Database Error Disclosure Vulnerability......

Description
During our analysis of your web application, we were able to intentionally generate database specific errors. By causing a system to
output errors such as these, it is often possible to determine the database version and inject database command syntax that would
allow us to extract data.
The solution they say is
Remove the following characters from any user or dynamic database input: (examples in VBScript)
' (escape the single quote) input = replace( input, "'", "''" ) " (double quote) input = replace( input, """", "" ) ) (close parenthesis) input =
replace( input, ")", "" ) ( (open parenthesis) input = replace( input, "(", "" ) ; (semi-colon) input = replace( input, ";", "" ) - (dash) input =
replace( input, "-", "" ) | (pipe) input = replace( input, "|", "" )

What should i do for this?



Jinesh
Go to Top of Page

support
Administrator

4266 Posts

Posted - November 04 2009 :  00:22:58  Show Profile  Visit support's Homepage  Reply with Quote
Hi Jinesh,

If you do have the latest patches applied then you need to look at your custom code as the default VPASP will pass the tests without any changes needed to be made.

If you want us to have a look it for you we do offer a scanning preparation service. Just post a ticket in the helpdesk and we can review and give you a quote.

https://helpdesk.vpasp.com

Thanks

Cam
VPASP Support
Go to Top of Page

jinesh
VP-ASP New User

141 Posts

Posted - November 04 2009 :  07:23:16  Show Profile  Reply with Quote
I have bought a byz add-on for the site. no other custom code have been done
Will there be any problem when i replace all
request(" to cleanchars(request("

Jinesh
Go to Top of Page

Steve2507
VP-ASP Expert

590 Posts

Posted - November 04 2009 :  12:48:13  Show Profile  Reply with Quote
quote:
Originally posted by jinesh

I have bought a byz add-on for the site. no other custom code have been done
Will there be any problem when i replace all
request(" to cleanchars(request("

Jinesh



Good question, I'd be interested in the answer for this as well.


Steve
Sex toys from a UK sex shop including vibrators and dildos.
Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - November 04 2009 :  13:55:23  Show Profile  Visit devshb's Homepage  Reply with Quote
I'd also be interested in the answer too. As far as I know all our addons do the relevant cleaning functions. They may do the cleaning in a slightly different way due to the nature of the addons, but they still won't allow injections as far as I know, and also won't produce a database error if the user enters something to try and force a sql error.

If someone suspects it's one of our addons causing the problem, then just give us a copy of the report which specifies what caused the error and a list of modules that you're using and we'll take a look, but my guess is that it's something more generic or a manual customisation.

For example, byz116 has a lot of potential arguments, but the values are translated/cleaned as appropriate.

If you do a global replace of request to cleanchars(request(" then it'll be a big job and will break some aspects of the cart; the context of the call to that function is vital.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on November 04 2009 14:23:24
Go to Top of Page

Steve2507
VP-ASP Expert

590 Posts

Posted - November 04 2009 :  14:38:58  Show Profile  Reply with Quote
quote:
Originally posted by devshb

I'd also be interested in the answer too. As far as I know all our addons do the relevant cleaning functions. They may do the cleaning in a slightly different way due to the nature of the addons, but they still won't allow injections as far as I know, and also won't produce a database error if the user enters something to try and force a sql error.

If someone suspects it's one of our addons causing the problem, then just give us a copy of the report which specifies what caused the error and a list of modules that you're using and we'll take a look, but my guess is that it's something more generic or a manual customisation.

For example, byz116 has a lot of potential arguments, but the values are translated/cleaned as appropriate.

If you do a global replace of request to cleanchars(request(" then it'll be a big job and will break some aspects of the cart; the context of the call to that function is vital.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

That's what I thought, but it's good that you came on to clarify it Simon, thanks.


Steve
Sex toys from a UK sex shop including vibrators and dildos.
Go to Top of Page

jinesh
VP-ASP New User

141 Posts

Posted - November 05 2009 :  01:51:05  Show Profile  Reply with Quote
That was my doubt, regarding replace.
Path /shopaddtocart.asp

Body
productid=32
Featurevalue1=x';",)`
Feature1=7
quantity=1
Order=Buy

Solution
THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM
PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.

Anyone Know what does this error indicates. or how can i fix it?


Jinesh
Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - November 05 2009 :  04:44:49  Show Profile  Visit devshb's Homepage  Reply with Quote
The actual file relevant here is shopproductfeaturesprocess.asp rather than shopaddtocart.asp, as shopproductfeaturesprocess.asp is what gets those values from the form.

Offhand it looks like an unpatched/old file; by the look of it (in the version I've got to-hand) that value gets cleaned before it gets processed.

(I'm glad it wasn't our addons that were the cause!)

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on November 05 2009 04:55:29
Go to Top of Page

jinesh
VP-ASP New User

141 Posts

Posted - November 05 2009 :  05:20:23  Show Profile  Reply with Quote
Thanks Simon
I have used cleanchars for featurevalue in that page...

The line reads
featurevaluename= fprefix & prodi & "Featurevalue" & i
featurevalue=cleanchars(request(featurevaluename))

How does this happen then?


Jinesh
Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - November 05 2009 :  05:56:16  Show Profile  Visit devshb's Homepage  Reply with Quote
not sure offhand why it'd still be happening, it's quite hard to unpick the feature logic without physically adding debug messages for a specific instance; I'd say it's one to pass over to the vpasp help desk.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000