Security Issues
Hi,
I have used all your web assist products for a while now and think there great. I have problem with the Power Store.
I have produced an ecommerce website using power store, but my customer wanted to added macfee onto the website. But this program has found several possible security issues.
Description
During our analysis of your web application, we were able to intentionally generate database specific errors. By causing a system to output errors such as these, it is often possible to determine the database version and inject database command syntax that would allow us to extract data.
The information gathered from the specific error responses generated using various input validation techniques by the web application scanner has determined the remote host may be running a MySQL database.
The extent of the damage that can be caused by this vulnerability varies greatly depending on environment and configuration. While input validation via webapp may cause a database to generate an error, the database configuration will also play an important role in determining how much it can be altered. A remote attacker may be able to gain access to very sensitive information, or gain administrative access.
General Solution
THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.
The following is an acceptable solution however it is not optimal.
Implement content parsing on data input fields including URL parameters.
Remove the following characters from any user or dynamic database input: (examples in VBScript)
• ' (escape the single quote) input = replace( input, "'", "''" )
• " (double quote) input = replace( input, """", "" )
• ) (close parenthesis) input = replace( input, ")", "" )
• ( (open parenthesis) input = replace( input, "(", "" )
• ; (semi-colon) input = replace( input, ";", "" )
• - (dash) input = replace( input, "-", "" )
• | (pipe) input = replace( input, "|", "" )
On text input it is recommended to append quotes around the user supplied input.
Please contact ScanAlert Support if you need further instructions.
Is this something I have to worry about?
And would you make the changes they are advising?
Kind Regards
Brian