Possible security vulnerability?

4 posts by 3 authors in: Forums > CMS Builder
Last Post: August 1, 2013   (RSS)

By mizrahi - July 31, 2013

I received the following message from a client...

I happened to notice a potential issue with the security of the site.  In Google Analytics it showed some visits like this:

/en-us/solutions/product.php?' or 1=1;--

which is a sign of a sql injection test.  As far as I can tell, your site may be susceptible to a "blind" sql injection, because the page I just mentioned looks different than the page /en-us/solutions/product.php.   That allows the True/False test which blind sql injection is based upon.  I'm not sure if you are susceptible or not, just thought I'd point it out.”  

Is this a valid concern? If not, can you help me with a response to ease their concerns?

thanks

By mizrahi - August 1, 2013

Thanks steve99. Your thoughts mirror mine.

Could I also get the input of an interactive tools representative on this issue?

Hi Mizrahi,

If your using the getRecords, mysql_get or mysql_select functions provided with CMS Builder then this type of injection won't work. All strings that are passed into these functions are validated and escaped before being added to a MySQL statement.

I did some quick testing on a standard detail page created with the code generator to see what would happen with this type of injection. Here is the getRecords function I used:

  // load record from 'blog'
  list($blogRecords, $blogMetaData) = getRecords(array(
    'tableName'   => 'blog',
    'where'       => whereRecordNumberInUrl(0),
    'loadUploads' => true,
    'allowSearch' => false,
    'limit'       => '1',
  ));
  $blogRecord = @$blogRecords[0]; // get first record
  if (!$blogRecord) { dieWith404("Record not found!"); } // show error message if no record found

When I added ?' or 1=1;-- to the end of the URL, the whereRecordNumberInUrl function detected the last number 1 in the string and ignored everything else. If you have a record with a num of one in your products section, this would have been what your client would have seen, otherwise an error would have been displayed.

Let me know if you have any questions.

Cheers

Greg

Greg Thomas







PHP Programmer - interactivetools.com