Possible security vulnerability?

4 posts by 3 authors in: Forums > CMS Builder
Last Post: August 1, 2013   (RSS)

By mizrahi - July 31, 2013

I received the following message from a client...

I happened to notice a potential issue with the security of the site.  In Google Analytics it showed some visits like this:

/en-us/solutions/product.php?' or 1=1;--

which is a sign of a sql injection test.  As far as I can tell, your site may be susceptible to a "blind" sql injection, because the page I just mentioned looks different than the page /en-us/solutions/product.php.   That allows the True/False test which blind sql injection is based upon.  I'm not sure if you are susceptible or not, just thought I'd point it out.”  

Is this a valid concern? If not, can you help me with a response to ease their concerns?

thanks

By Steve99 - July 31, 2013

Hi mizrahi,

Your client is correct in that it's a blind sql injection test. However, I don't think you have anything to worry about.

I found the site you are referencing and checked out the products page. It looks like you're using a standard "list page" section editor with default record loading. The page looks "different" to them because it's a dynamic page that loads content based on the record number in the URL, or it defaults to the first record. But you know this already, you built the site :)

That being said, I would not worry. CMS Builder is a solid platform. Also, anything that is output "as is" from the code generator won't have any security issues. If the "default" record loading code is customized by a developer by using more complex queries with variables that aren't properly escaped, then yes - that could present a security vulnerability. 

What this seems to be is a case of  "client sees things in Google Analytics reporting, Googles what they saw and reads part of an article"   :)

Cheers,
Steve

Hi Mizrahi,

If your using the getRecords, mysql_get or mysql_select functions provided with CMS Builder then this type of injection won't work. All strings that are passed into these functions are validated and escaped before being added to a MySQL statement.

I did some quick testing on a standard detail page created with the code generator to see what would happen with this type of injection. Here is the getRecords function I used:

  // load record from 'blog'
  list($blogRecords, $blogMetaData) = getRecords(array(
    'tableName'   => 'blog',
    'where'       => whereRecordNumberInUrl(0),
    'loadUploads' => true,
    'allowSearch' => false,
    'limit'       => '1',
  ));
  $blogRecord = @$blogRecords[0]; // get first record
  if (!$blogRecord) { dieWith404("Record not found!"); } // show error message if no record found

When I added ?' or 1=1;-- to the end of the URL, the whereRecordNumberInUrl function detected the last number 1 in the string and ignored everything else. If you have a record with a num of one in your products section, this would have been what your client would have seen, otherwise an error would have been displayed.

Let me know if you have any questions.

Cheers

Greg

Greg Thomas







PHP Programmer - interactivetools.com