Blind SQL injection issue

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This thread is closed to new posts. You must sign in to post in the forums.

3/6/2014 3:46:40 AM

mahua

Total Posts 36

View Posts

Blind SQL injection issue

Hi,

I am using Aperia Solutions for PCI scan and I am getting Blind SQL injection in mojoPortal code.

We have tried all possible solutions available but could not find solution. Could you please help us in this regard?

3/6/2014 8:21:59 AM

Joe Audette

Total Posts 18439

View Posts

Re: Blind SQL injection issue

I do not believe there is any possibility of sql injection vulnerability in mojoportal or any features we ship. We use parameterized queries and procedures and we never concatenate user input into sql statements.

Such tools often give false positives, if you think there is a problem you would have to provide much more specific details about where this tool thinks there is a vulnerability and on what basis it thinks that.

If you are using any custom code or third party code we cannot vouch for that, but we are very confident that no such vulnerability exists in our code.

3/13/2014 2:43:52 AM

mahua

Total Posts 36

View Posts

Re: Blind SQL injection issue

Hi Joe,

I did some research and I found that they have reproduced this issue on IE 7 and OS is vista. This is a charset vulnerability
It happens when a browser assumes a page is UTF-7 almost all modern browsers assume UTF-8 so this is a vulnerability that occurs only in old browsers you can't reproduce it if you use a modern browser. I tried to reproduce this issue on IE 7 and found one problem.

I am aware that mojoPortal add meta tag <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> but this is after title tag. As per the solution available on internet to fix Blind SQL injection issue we should add charset = utf-8 before title tag. So we added <meta charset="utf-8"> in my layout.master page of my skin folder. And after doing some analysis we found two issues:

Though we didn't add end tag but still in view source it is displayed as <meta charset="utf-8" />. So I think this could be an issue since old browsers(IE 8 and below) do not ignore this end tag and hence it is considering it as incorrect syntax. I am not sure why this end tag is added.
In browsers IE 8 and below meta tag is displayed below title tag even though we added above title tag.

Can you please help us in this regard.

3/13/2014 8:11:59 AM

Joe Audette

Total Posts 18439

View Posts

Re: Blind SQL injection issue

You started this thread asking about sql injection, what you are talking about now has nothing to do with sql injection. If you have a different question please start a new thread and ask the question more clearly.

3/13/2014 10:46:03 PM

mahua

Total Posts 36

View Posts

Re: Blind SQL injection issue

Sorry for the confusion but issue was reported by Aperia Solutions as Blind SQL injection issue after my research I found that it is something related to charset vulnerability. I have stared another thread for charset vulnerability.

You must sign in to post in the forums. This thread is closed to new posts.