Possible security vulnerability?

4 posts by 3 authors in: Forums > CMS Builder
Last Post: August 1, 2013   (RSS)

By Steve99 - July 31, 2013

Hi mizrahi,

Your client is correct in that it's a blind sql injection test. However, I don't think you have anything to worry about.

I found the site you are referencing and checked out the products page. It looks like you're using a standard "list page" section editor with default record loading. The page looks "different" to them because it's a dynamic page that loads content based on the record number in the URL, or it defaults to the first record. But you know this already, you built the site :)

That being said, I would not worry. CMS Builder is a solid platform. Also, anything that is output "as is" from the code generator won't have any security issues. If the "default" record loading code is customized by a developer by using more complex queries with variables that aren't properly escaped, then yes - that could present a security vulnerability. 

What this seems to be is a case of  "client sees things in Google Analytics reporting, Googles what they saw and reads part of an article"   :)

Cheers,
Steve

By mizrahi - August 1, 2013

Thanks steve99. Your thoughts mirror mine.

Could I also get the input of an interactive tools representative on this issue?

Hi Mizrahi,

If your using the getRecords, mysql_get or mysql_select functions provided with CMS Builder then this type of injection won't work. All strings that are passed into these functions are validated and escaped before being added to a MySQL statement.

I did some quick testing on a standard detail page created with the code generator to see what would happen with this type of injection. Here is the getRecords function I used:

  // load record from 'blog'
  list($blogRecords, $blogMetaData) = getRecords(array(
    'tableName'   => 'blog',
    'where'       => whereRecordNumberInUrl(0),
    'loadUploads' => true,
    'allowSearch' => false,
    'limit'       => '1',
  ));
  $blogRecord = @$blogRecords[0]; // get first record
  if (!$blogRecord) { dieWith404("Record not found!"); } // show error message if no record found

When I added ?' or 1=1;-- to the end of the URL, the whereRecordNumberInUrl function detected the last number 1 in the string and ignored everything else. If you have a record with a num of one in your products section, this would have been what your client would have seen, otherwise an error would have been displayed.

Let me know if you have any questions.

Cheers

Greg

Greg Thomas







PHP Programmer - interactivetools.com