Security Metrics SQL Injection Vulnerability Error, But I Can't Duplicate It?
Posted on 2010-11-21
I am an Classic ASP programmer and I started a new ecommerce site on a Windows Enterprise Server 2003 using a mySQL Server on Fedora... and I am required to get PCI Compliance with SecurityMetrics.com
My scan has failed 5 times, and with tweaking, I still cannot duplicate (with POST or GET) in any web browser to reproduce their errors. I am familiar with escaping single quotes and SQL injection commands and have functions for the data retrieval.
SECURITY METRICS VULNERABILITY RESULTS
Description: SQL injection vulnerability in emailaddress parameter to /signup.asp
Severity: Critical Problem Impact: A remote attacker could execute SQL commands
on the back-end database, possibly leading to password retrieval, authentication
bypass, unauthorized data access, or unauthorized data modification.
Background: Structured Query Language (SQL) is the most common language
understood by modern relational databases. It is made up of queries. A typical
query reads: SELECT * FROM table WHERE condition where table is a table
belonging to a relational database, and condition is a logic condition which is
either true or false for each row of the table. The query would return any or all
rows for which the condition is true. Resolution All user-supplied parameters
should be checked for illegal characters, such as a single quote ('), before being
used in an SQL query.
See the references below for fix information for specific products.
Vulnerability Details: Service: 80:TCP SENT: POST /signup.asp
HTTP/1.0 Host: mydomain.com
Connection: Keep-Alive firstname=default&lastname=default&emailaddress='&username=default&password=default&passwordverify=default&referurl=%3Cscript%3Eal ert%28%27SAINT2To%27%29%3C%2Fscript%3E RECEIVED: error in your SQL syntax
The weirdest part about the vulnerabilities is that they ONLY appear on my signup page (POST) on ALL the input variables, EVEN if the variable isn't even used in any SQL query???
I called them and they claim that they're test logs into a Linux Terminal to post to my page and that they get errors... not telling me anything specific on the error or how I can create the same environment so that I may see what they are talking about.
I am not familiar with Terminal Services, Telnet, SSH, etc... SO, can someone tell me HOW to recreate what they are seeing? I did a little research and downloaded Putty, but not sure how to use it or even sure if it's what I needed.
I just need a quick course on what to download, how to prepare the POST to my web page via Port 80 with my post data (like they did) so I can see if there is some error or not, because at this point, I can't create any MySQL errors on my end with what they are claiming.
This is so frustrating.... please help.