I have a blog set up as a subdirectory of my e-comm site and everything gets scanned for PCI compliance, etc by scanalert. They found the following vulnerabilities that I need to get fixed:
During our analysis of your web application, we were able to intentionally generate database specific errors. By causing a system to output errors such as these, it is often possible to determine the database version and inject database command syntax that would allow us to extract data.
There recommended fix is this:
THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.
The following is an acceptable solution however it is not optimal.
Implement content parsing on data input fields including URL parameters.
Remove the following characters from any user or dynamic database input: (examples in VBScript)
‘ (escape the single quote) input = replace( input, “‘”, “”” )
” (double quote) input = replace( input, “”””, “” )
) (close parenthesis) input = replace( input, “)”, “” )
( (open parenthesis) input = replace( input, “(“, “” )
; (semi-colon) input = replace( input, “;”, “” )
– (dash) input = replace( input, “-“, “” )
| (pipe) input = replace( input, “|”, “” )
On text input it is recommended to append quotes around the user supplied input.
Where and how can I apply these changes?
- The topic ‘MySQL Database Error Disclosure Vulnerability’ is closed to new replies.