Blind SQL injections on product_info.php page

[lindsay]

Can anyone help me with removing the Blind SQL injection vulnerability. I installed Security Pro and I thought I put in the Cross Site script but all of a sudden I'm getting a failed PCI scan. Any suggestions?? Thanks!

[jpf]

Are you using the latest osCommerce Online Merchant v2.2 Release Candidate 2a?

Double check all your editing for Security Pro.

If not - consider osCMax - no known SQL vulnerabilities or cross-site scripting issues.

[lindsay]

I am using osc rc2a. I use Security Metrics to scan and this has happened before but I fixed it or so I thought. I will double check the security pro code that I put in. Maybe I will consider osmax. Is it pretty much the same? Thanks!

[jpf]

Yes - but NO.

It has a whole lot more than just osCommerce

[lindsay]

How can I fix this? I am using Security Pro from FWR media in my osc store.


The true statement:

http://www.domainname.com/index.php?...=2%20and%201=0

Is returning a 403 Forbidden error.

The false statement:

http://www.domainname.com/index.php?...=2%20and%201=1

Is returning the product page.

In order to become compliant, both the true and false statements must return the same page whether it be the 403 error or the product page.

[michael_s]

I don't think it has anything to do with osC. You are probably tripping a mod_security rule which gives the 403 forbidden message. osCommerce does not determine what is forbidden, that is an account level or server level issue.

Check to see if mod_security is filtering the one that is 403. I bet it is.

I had a discussion about this with another osC user that has Security Metrics. Their service seems to be the commonality...
http://www.facebook.com/pages/osCMax...re/57253524785

[lindsay]

How do I go about doing that? Do I ask my my web hosting provider?

[michael_s]

Yes, check with them if mod_security is installed and if so, see if they can provide the log entries from mod_security that show the blocking. Then send that to your PCI scan company and tell them it is a false positive.

[lindsay]

Thanks a bunch! I am waiting to hear back from my web hosts. I was reading on the Zen Cart forum and they mentioned that this happens often with SM. This has been driving me nuts all day! Especially since the last scan didn't have this issue. I really appreciate your help!

[lindsay]

My other store is doing the same thing but this time its not showing a forbidden page and mod_security is not installed. The pages are just showing up in an empty shopping cart and the other page shows the normal store. So they are not showing the same results. Any suggestions?

Possible blind sql injection on https://domain.com/catalo g/shopping_cart.php?osCsid=0b8dc0b901af51a 14c3ddadc6471266b wp --bsql "https://domain.com/catalog/shopping_cart.php?osCsid=0b8dc0b901af51a14c3ddadc6 471266b" style="display: none;"> "https://domain.com/catalog/shopping_cart.php?osCsid=0b8dc0b901af51a14c3ddadc6 471266b+and+1%3D1" "https://domain.com/catalog/shopping_cart.php?osCsid=0b8dc0b901af51a14c3ddadc6 471266b+and+1%3D0" cat <<EOF > bsql.sh curl -L -k "https://domain.com/catalog/shopping_cart.php?osCsid=0b8dc0b901af51a14c3ddadc6 471266b+and+1%3D1"> a curl -L -k "https://domain.com/catalog/shopping_cart.php?osCsid=0b8dc0b901af51a14c3ddadc6 471266b+and+1%3D0"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities. [More]