| Author |
 Topic  |
|
|
jinesh
VP-CART New User
141 Posts |
 Posted - November 02 2009 : 23:45:29
|
I was trying to get a McAfee Secure certificate for my shopping cart.
They had a scan on my site, and told me to fix 3 critical errors.
Port First Detected Category
80 30-OCT-2009 11:50 Database
Protocol Fix Difficulty Impact
HTTP Medium SQL Injection
How can i Fix it?
Jinesh
|
|
|
jinesh
VP-CART New User
141 Posts |
Posted - November 03 2009 : 00:21:31
|
Port ---- First Detected ---- Category
80 ---- 30-OCT-2009 11:50 ---- Database
Protocol ---- Fix Difficulty ---- Impact
HTTP ---- Medium ---- SQL Injection
Jinesh
|
 |
|
|
support
Administrator
4679 Posts |
Posted - November 03 2009 : 00:49:00
|
Hi Jinesh,
You need to ensure you have the latest patches applied to your site.
Also, any custom code you have had implemented needs to cleanse any calls to the database to ensure no injections can be made by hackers.
Thanks
Cam
VPASP Support |
|
|
|
jinesh
VP-CART New User
141 Posts |
Posted - November 03 2009 : 23:31:33
|
I have the latest patch of 6.50 for my site.
but still it have the error
MS SQL Database Error Disclosure Vulnerability......
Description
During our analysis of your web application, we were able to intentionally generate database specific errors. By causing a system to
output errors such as these, it is often possible to determine the database version and inject database command syntax that would
allow us to extract data.
The solution they say is
Remove the following characters from any user or dynamic database input: (examples in VBScript)
' (escape the single quote) input = replace( input, "'", "''" ) " (double quote) input = replace( input, """", "" ) ) (close parenthesis) input =
replace( input, ")", "" ) ( (open parenthesis) input = replace( input, "(", "" ) ; (semi-colon) input = replace( input, ";", "" ) - (dash) input =
replace( input, "-", "" ) | (pipe) input = replace( input, "|", "" )
What should i do for this?
Jinesh
|
|
|
|
support
Administrator
4679 Posts |
Posted - November 04 2009 : 00:22:58
|
Hi Jinesh,
If you do have the latest patches applied then you need to look at your custom code as the default VPASP will pass the tests without any changes needed to be made.
If you want us to have a look it for you we do offer a scanning preparation service. Just post a ticket in the helpdesk and we can review and give you a quote.
https://helpdesk.vpasp.com
Thanks
Cam
VPASP Support |
|
|
|
jinesh
VP-CART New User
141 Posts |
Posted - November 04 2009 : 07:23:16
|
I have bought a byz add-on for the site. no other custom code have been done
Will there be any problem when i replace all
request(" to cleanchars(request("
Jinesh
|
|
|
|
Steve2507
VP-CART Expert
590 Posts |
Posted - November 04 2009 : 12:48:13
|
quote:
Originally posted by jinesh
I have bought a byz add-on for the site. no other custom code have been done
Will there be any problem when i replace all
request(" to cleanchars(request("
Jinesh
Good question, I'd be interested in the answer for this as well.
Steve
Sex toys from a UK sex shop including vibrators and dildos. |
|
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - November 04 2009 : 13:55:23
|
I'd also be interested in the answer too. As far as I know all our addons do the relevant cleaning functions. They may do the cleaning in a slightly different way due to the nature of the addons, but they still won't allow injections as far as I know, and also won't produce a database error if the user enters something to try and force a sql error.
If someone suspects it's one of our addons causing the problem, then just give us a copy of the report which specifies what caused the error and a list of modules that you're using and we'll take a look, but my guess is that it's something more generic or a manual customisation.
For example, byz116 has a lot of potential arguments, but the values are translated/cleaned as appropriate.
If you do a global replace of request to cleanchars(request(" then it'll be a big job and will break some aspects of the cart; the context of the call to that function is vital.
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons |
Edited by - devshb on November 04 2009 14:23:24 |
|
|
|
Steve2507
VP-CART Expert
590 Posts |
Posted - November 04 2009 : 14:38:58
|
quote:
Originally posted by devshb
I'd also be interested in the answer too. As far as I know all our addons do the relevant cleaning functions. They may do the cleaning in a slightly different way due to the nature of the addons, but they still won't allow injections as far as I know, and also won't produce a database error if the user enters something to try and force a sql error.
If someone suspects it's one of our addons causing the problem, then just give us a copy of the report which specifies what caused the error and a list of modules that you're using and we'll take a look, but my guess is that it's something more generic or a manual customisation.
For example, byz116 has a lot of potential arguments, but the values are translated/cleaned as appropriate.
If you do a global replace of request to cleanchars(request(" then it'll be a big job and will break some aspects of the cart; the context of the call to that function is vital.
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
That's what I thought, but it's good that you came on to clarify it Simon, thanks.
Steve
Sex toys from a UK sex shop including vibrators and dildos. |
|
|
|
jinesh
VP-CART New User
141 Posts |
Posted - November 05 2009 : 01:51:05
|
That was my doubt, regarding replace.
Path /shopaddtocart.asp
Body
productid=32
Featurevalue1=x';",)`
Feature1=7
quantity=1
Order=Buy
Solution
THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM
PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.
Anyone Know what does this error indicates. or how can i fix it?
Jinesh
|
|
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - November 05 2009 : 04:44:49
|
The actual file relevant here is shopproductfeaturesprocess.asp rather than shopaddtocart.asp, as shopproductfeaturesprocess.asp is what gets those values from the form.
Offhand it looks like an unpatched/old file; by the look of it (in the version I've got to-hand) that value gets cleaned before it gets processed.
(I'm glad it wasn't our addons that were the cause!)
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons |
Edited by - devshb on November 05 2009 04:55:29 |
|
|
|
jinesh
VP-CART New User
141 Posts |
Posted - November 05 2009 : 05:20:23
|
Thanks Simon
I have used cleanchars for featurevalue in that page...
The line reads
featurevaluename= fprefix & prodi & "Featurevalue" & i
featurevalue=cleanchars(request(featurevaluename))
How does this happen then?
Jinesh
|
|
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - November 05 2009 : 05:56:16
|
not sure offhand why it'd still be happening, it's quite hard to unpick the feature logic without physically adding debug messages for a specific instance; I'd say it's one to pass over to the vpasp help desk.
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons |
|
|
| |
Topic |
|
All Forums
McAfee Secure
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
