close ad
Install the LAtest Updates to Work with CC 2017 and CC 2018
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

SQL Injection

Thread began 8/18/2010 12:44 pm by lorgain396837 | Last modified 9/15/2010 10:02 am by lorgain396837 | 2669 views | 22 replies

lorgain396837

Jason,

We are still having problems. Here is the response they gave us about false positives.



McAfee has reviewed your request to resolve an open vulnerability issue, and determined that your explanation is not sufficiently descriptive to assure us that the issue was resolved properly. Due to insufficient information we are unable to approve your request to mark this issue resolved at this time.

Please log in and resolve the item again, by re-entering the details of actions you have taken to resolve this vulnerability. Please ensure your explanation is descriptive enough to illustrate that the issue was properly addressed.


Device: www.gorillasupply.com
Vulnerability: Web Application Cross Site Scripting

This is a valid vulnerbaility finding. After the redirection occurs the code is presented back to the user on the redirected page. See the RAW Request and Snipet of vulnerability code from the RAW Response below:

GET /Products_Search.php?ProductCategoryID%5B%5D=74&S_ProductName=%3E%22%3E%3C%2Ftitle%3E%3C%2Fiframe%3E%3C%2Fscript%3E%3C%2Fform%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Cbr%3E%3CiFraMe+src%3Dhttp%3A%2F%2Fwww.McAfeesecure.com+width%3D900+height%3D1100%3E%3C%2FIfRamE%3E&S_ProductPrice=%3E%5C%22%3E%3C%2Ftitle%3E%3C%2Fiframe%3E%3C%2Fscript%3E%3C%2Fform%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Cbr%3E%3CiFraMe+src%3Dhttp%3A%2F%2Fwww.McAfeesecure.com+width%3D900+height%3D1100%3E%3C%2FIfRamE%3E&S_ProductPrice2=0&Search=Search&cancel=Cancel HTTP/1.1
Host: www.gorillasupply.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.12) Gecko/20100824 Firefox/3.5.12 (.NET CLR 2.0.50727)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: formBuilder.jsp
Cookie: PHPSESSID=9da759b67e1bc47605cefc4473813a38




Snipet from RAW Response:

<p>
<label for="S_ProductName">Keyword:</label>
<input type="text" name="S_ProductName" id="S_ProductName2" value=">\"></title></iframe></script></form></td></tr><iFraMe src=http://www.McAfeesecure.com width=900 height=1100></IfRamE>" size="32" />
</p>
<p>
<label for="S_ProductPrice">Price Range:</label>

<span id="sprytextfield1">
<input type="text" name="S_ProductPrice" id="S_ProductPrice" value="%3E\\\%22%3E%3C/title%3E%3C/iframe%3E%3C/script%3E%3C/form%3E%3C/td%3E%3C/tr%3E%3Cbr%3E%3CiFraMe src=http://www.McAfeesecure.com width=900 height=1100%3E%3C/IfRamE%3E" size="10" onblur="if (document.getElementById('priceRangeServerValidation')) document.getElementById('priceRangeServerValidation').style.display='none';" style="width: 114px;" />
</span>
Thank You,
McAfee SECURE Customer Support
707-224-7656

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...