Possible security vulnerability?
4 posts by 3 authors in: Forums > CMS Builder
Last Post: August 1, 2013 (RSS)
By mizrahi - July 31, 2013
I received the following message from a client...
I happened to notice a potential issue with the security of the site. In Google Analytics it showed some visits like this:
/en-us/solutions/product.php?' or 1=1;--
which is a sign of a sql injection test. As far as I can tell, your site may be susceptible to a "blind" sql injection, because the page I just mentioned looks different than the page /en-us/solutions/product.php. That allows the True/False test which blind sql injection is based upon. I'm not sure if you are susceptible or not, just thought I'd point it out.”
Is this a valid concern? If not, can you help me with a response to ease their concerns?
thanks
By Steve99 - July 31, 2013
Hi mizrahi,
Your client is correct in that it's a blind sql injection test. However, I don't think you have anything to worry about.
I found the site you are referencing and checked out the products page. It looks like you're using a standard "list page" section editor with default record loading. The page looks "different" to them because it's a dynamic page that loads content based on the record number in the URL, or it defaults to the first record. But you know this already, you built the site :)
That being said, I would not worry. CMS Builder is a solid platform. Also, anything that is output "as is" from the code generator won't have any security issues. If the "default" record loading code is customized by a developer by using more complex queries with variables that aren't properly escaped, then yes - that could present a security vulnerability.
What this seems to be is a case of "client sees things in Google Analytics reporting, Googles what they saw and reads part of an article" :)
Cheers,
Steve
By mizrahi - August 1, 2013
Thanks steve99. Your thoughts mirror mine.
Could I also get the input of an interactive tools representative on this issue?
By gregThomas - August 1, 2013
Hi Mizrahi,
If your using the getRecords, mysql_get or mysql_select functions provided with CMS Builder then this type of injection won't work. All strings that are passed into these functions are validated and escaped before being added to a MySQL statement.
I did some quick testing on a standard detail page created with the code generator to see what would happen with this type of injection. Here is the getRecords function I used:
// load record from 'blog'
list($blogRecords, $blogMetaData) = getRecords(array(
'tableName' => 'blog',
'where' => whereRecordNumberInUrl(0),
'loadUploads' => true,
'allowSearch' => false,
'limit' => '1',
));
$blogRecord = @$blogRecords[0]; // get first record
if (!$blogRecord) { dieWith404("Record not found!"); } // show error message if no record found
When I added ?' or 1=1;-- to the end of the URL, the whereRecordNumberInUrl function detected the last number 1 in the string and ignored everything else. If you have a record with a num of one in your products section, this would have been what your client would have seen, otherwise an error would have been displayed.
Let me know if you have any questions.
Cheers
Greg
PHP Programmer - interactivetools.com