close ad
Databridge V2 with MySQLi support IS Now Available!
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Security Concern

Thread began 11/28/2018 8:27 pm by jo271221 | Last modified 12/12/2018 3:34 pm by Ray Borduin | 177 views | 11 replies |

jo271221

Security Concern

Please see attachment for private details.

Sign in to reply to this post

Ray BorduinWebAssist

We fixed any SQL injection holes in our code probably 10 years ago now. If you attach a page that you think has SQL injection vulnerabilities then I can take a look and tell you if there are any and how to fix them. In general all webassist code should be secure, but hand editing can lead to security holes. The code you included doesn't have any vulnerability. SQL injections occur when form posts or url parameters are used directly in a recordset or insert/update statement. This allows someone to "inject" additional SQL code into the query. We prevent this using a variety of methods, but I can take a look at pages you think have issues and tell you if they do and where.

Sign in to reply to this post

jo271221

Thank you!

Sign in to reply to this post

Ray BorduinWebAssist

I couldn't see any SQL Injection holes in these files. Can I see your copy of:
/webassist/database_management/wa_appbuilder_php.php

I'll make sure it is up to date and doesn't have any security holes in it.

Did you get information with a sample url or something that exposes the SQL Injection hole? Your files seem to have a lot of hand code. A single line of code on a single page can open a security hole, so it could just be on another page in the site.

Sign in to reply to this post

jo271221

Comments in PM

Attached Files
wa_appbuilder_php.php
Sign in to reply to this post

Ray BorduinWebAssist

It may be other pages that are vulnerable. I know you had a lot of hand coding done. Plain text passwords are a secondary concern, but really that only becomes an issue once someone can take advantage of SQL Injection. XSS (cross site scripting) is another issue entirely. It isn't as big of a deal, but probably more widespread. You can have a company test your site for vulnerabilities and give you a report that includes pages and examples. That is probably what this person did on your site and they are just holding back the details. It is really hard to fix without details.

Sign in to reply to this post

jo271221

OK, Thank you!

1) What are plain text passwords?
2) I attached the wa_appbuilder_php.php - Did you have a chance to take a look at that?

Sign in to reply to this post

Ray BorduinWebAssist

That file doesn't have any issues... It has SQL Injection code in place. My guess is that the SQL Injection holes (if any) are in hand coded sections.

Plain text passwords just means that your passwords aren't encrypted in your database.

Sign in to reply to this post

jo271221

Do urls like this pose a security risk? https://performancehorsehotline.com/posts-horse.php?&caption=2018+BFA&Search=Search
If so is there a tutorial on url rewrites?
Thank you!

Sign in to reply to this post

Ray BorduinWebAssist

The URL itself is not a security risk, and a mod rewrite wouldn't eliminate a security risk if one did exist.

The security risk is if you use the $_GET variable directly in a SQL statement or displayed on the page without scrubbing it to prevent malicious content from being introduced.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...