Need a first aid solution for vulnerability in scripts
Hi,
My site’s got below issue and I don’t really know how I can first-aid to this situation.
Any advice will be appreciated…
And all the action=“ is fixed to action=“”.
I attached two files:
- confirm.php
- 131_cvrs.php
|
|
|
|
Using the GET HTTP method, SiteLock found that :
+ The following resources may be vulnerable to arbitrary command execution (time based) :
+ The 'fax' parameter of the /parts/confirm.php CGI :
/parts/confirm.php?vto=&street2=&street1=&state_province=&exp_year=&exp_
month=&email=&del_detail=&cvv=&country=&Submit_order=Checkout&ad_detail=
&cc_number=&cc_type=&city=&postcode=&firstname=&lastname=&payee=&phone=&
fax=x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26
-------- output --------
------------------------
+ The 'RCUK_2_ID_Add' parameter of the /parts/131_cvrs.php CGI :
/parts/131_cvrs.php?RCUK_View_100=View%20orders&RCUK_9_Quantity_Add=1&RC
UK_8_ID_Add=743&RCUK_8_ATC=Add%20to%20order&RCUK_7_Quantity_Add=1&RCUK_7
_Options_Add=402%2b%2fT%2fTop%2fM%2c%20for%20402%2b%2c%20traditional%20r
igger%2c%20top%20cox%2c%20mid%20section%20(1180cm%2f163cm)&RCUK_7_ID_Add
=742&RCUK_5_Quantity_Add=1&RCUK_5_Options_Add=402%2b%2fT%2fTop%2c%20for%
20402%2b%2c%20traditional%20rigger%2c%20top%20cox%20(1180cm%2f163cm)&RCU
K_5_ID_Add=740&RCUK_5_ATC=Add%20to%20order&RCUK_4_Quantity_Add=1&RCUK_3_
ID_Add=732&RCUK_3_ATC=Add%20to%20order&RCUK_2_Quantity_Add=1&RCUK_2_Opti
ons_Add=401-%2fW%2c%20for%20401-%2c%20wing%20rigger&RCUK_9_Options_Add=4
02%2b%2fT%2fSte%2c%20for%20402%2b%2c%20traditional%20rigger%2c%20stern%2
0cox%20(1180cm%2f163cm)&RCUK_12_Options_Add=402%2b%2fW%2fSte%2fM%2c%20fo
r%20402%2b%2c%20wing%20rigger%2c%20stern%20cox%2c%20mid%20section%20(118
0cm%2f163cm)&RCUK_12_ID_Add=747&RCUK_12_ATC=Add%20to%20order&RCUK_11_Qua
ntity_Add=1&RCUK_11_Options_Add=402%2b%2fT%2fSte%2fM%2c%20for%20402%2b%2
c%20traditional%20rigger%2c%20stern%20cox%2c%20mid%20section%20(1180cm%2
f163cm)&RCUK_11_ID_Add=746&RCUK_10_ATC=Add%20to%20order&RCUK_10_ID_Add=7
45&RCUK_10_Options_Add=402%2b%2fW%2fSte%2c%20for%20402%2b%2c%20wing%20ri
gger%2c%20stern%20cox%20(1180cm%2f163cm)&RCUK_10_Quantity_Add=1&RCUK_11_
ATC=Add%20to%20order&RCUK_12_Quantity_Add=1&RCUK_1_ATC=Add%20to%20order&
RCUK_1_ID_Add=730&RCUK_1_Options_Add=401-%2fT%2c%20for%20401-%2c%20tradi
tional%20rigger&RCUK_1_Quantity_Add=1&RCUK_2_ATC=Add%20to%20order&RCUK_3
_Options_Add=401-%2fT%2fM%2c%20for%20401-%2c%20traditional%20rigger%2c%2
0mid%20section&RCUK_3_Quantity_Add=1&RCUK_4_ATC=Add%20to%20order&RCUK_4_
ID_Add=733&RCUK_4_Options_Add=401-%2fW%2fM%2c%20for%20401-%2c%20wing%20r
igger%2c%20mid%20section&RCUK_6_ATC=Add%20to%20order&RCUK_6_ID_Add=741&R
CUK_6_Options_Add=402%2b%2fW%2fTop%2c%20for%20402%2b%2c%20wing%20rigger%
2c%20top%20cox%20(1180cm%2f163cm)&RCUK_6_Quantity_Add=1&RCUK_7_ATC=Add%2
0to%20order&RCUK_8_Options_Add=402%2b%2fW%2fTop%2fM%2c%20for%20402%2b%2c
%20wing%20rigger%2c%20top%20cox%2c%20mid%20section%20(1180cm%2f163cm)&RC
UK_8_Quantity_Add=1&RCUK_9_ATC=Add%20to%20order&RCUK_9_ID_Add=744&RCUK_2
_ID_Add=731%7C%7C%20ping%20-n%203%20127.0.0.1%20%26
-------- output --------
------------------------
Thank you so much for your help.
Rika