Elxis CMS Forum
Support => Security => Topic started by: theprincy on May 16, 2007, 01:16:29
-
it is true ? ??? ???
High (Suspicious) SQL Injection Fingerprinting
Description
SQL injection may be possible.
URL
http://www.site.ext/index.php?option=com_frontpage'INJECTED_PARAM&Itemid=1
Parameter
option=com_frontpage'INJECTED_PARAM&Itemid=1
Other information
sql
URL
http://www.site.ext//index.php?option=com_frontpage&Itemid=1'INJECTED_PARAM
Parameter
option=com_frontpage&Itemid=1'INJECTED_PARAM
Other information
sql
Solution
Do not trust client side input even if there is client side validation.
In general,
* If the input string is numeric, type check it.
* If the application used JDBC, use PreparedStatement or CallableStatement with parameters passed by '?'
* If the application used ASP, use ADO Command Objects with strong type checking and parameterized query.
* If stored procedure or bind variables can be used, use it for parameter passing into query. Do not just concatenate string into query in the stored procedure!
* Do not create dynamic SQL query by simple string concatentation.
* Use minimum database user privilege for the application. This does not eliminate SQL injection but minimize its damage. Eg if the application require reading one table only, grant such access to the application. Avoid using 'sa' or 'db-owner'.
Reference
* The OWASP guide at http://www.owasp.org/documentation/guide
* http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
* http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf
* For Oracle database, refer to
http://www.integrigy.com/info/IntegrigyIntrotoSQLInjectionAttacks.pdf
-
Sorry, I can not re-produce this injection in Elxis CMS. Can you please be more specific? Is it something that has to do with Elxis or a general php vunerability issue? Elxis Defender, if is set correctly, can protect your Elxis site from this kind of attacks and ban attackers.
-
is a site whit elxis ,
this code me has been sent from the hosting, therefore I do not know to say to you more for the moment
-
Datahell, I have met this Injection when I was testing some websites, with the "Acunetix Web Vulnerability Scanner 4".
The report form of the problem is exactly the same.
-
I will run a full scan on Elxis again these days. In the meanwhile if you have a live example of any kind of injection please report it to us via PM/email.
By the way, the following code protects your site against CRLF injection/HTTP request split (A new hacking method).
You must added it in includes/Core/security.php
/* CRLF INJECTION/HTTP RESPONSE SPLIT */
$pat='((\%0d)|(\%0a)|(\\\r)|(\\\n))';
if (isset($_SERVER['QUERY_STRING'])) {
if (preg_match("/$pat/", $_SERVER['QUERY_STRING'])) {
die( 'Possible CRLF injection/HTTP response split.' );
}
}
if (isset($_COOKIE)) {
if (preg_match("/$pat/", serialize($_COOKIE))) {
die( 'Possible CRLF injection/HTTP response split.' );
}
}
unset($pat);
I have not tested it thoroughly but as it seems it works fine. If you have a better proposal write it here. You could also add a relative filter at Elxis Defender instead of patching security.php.
-
You must added it in includes/Core/security.php
Wherever in there?
-
You must added it in includes/Core/security.php
Wherever in there?
Yes supernet, just place the code that datahell has provided inside the security.php file.
Just be sure it is inside the php marks.
Or you can replace the security.php file with the following file.
[old attachment deleted by admin]
-
Add it exactly above the Flood protection area.
-
You could also add a relative filter at Elxis Defender instead of patching security.php.
What relative filter John?
-
Hi supernet,
I believe filter would be something like preg_match( or serialize(, but I base this conlclusion solely on the above code. Don't take my word for certain.
-
Thanks Ivan. Let's what datahell has to propose :)