Page 1 of 1

[v1.5.1.2] SQL Injection Warning?

Posted: Fri Dec 09, 2011 11:44 pm
by england4eva
Hello,

I use a "website scanner" on my site which gives a security stamp if there are no issues found, it scans the sites for problems and security issues.

Today it has picked up :-
Description:
By providing specially crafted parameters to cgis, Site Scanner was able to
get an error from the underlying database. This error suggests that
the cgi is affected by a SQL injection vulnerability.

An attacker may be able to exploit this flaw to bypass authentication,
read confidential data, modify the remote database, or even take
control of the remote operating system.
The example test it did gives is :-
Result :
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect' [...]
Error: Could not make a database connection using mysite_mysite@ [...]
<b>Warning</b>: mysql_close(): supplied argument is not a valid MySQL-L
ink resource in <b>/home/mysite/public_html/system/database/mysql.php</
b> on line <b>66</b><br />
another example..
Result :
<b>Warning</b>: mysql_connect() [<a href='function.mysql-connect' [...]
Error: Could not make a database connection using mysite_mysite@ [...]
<b>Warning</b>: mysql_close(): supplied argument is not a valid MySQL-L
ink resource in <b>/home/mysite/public_html/system/database/mysql.php</
b> on line <b>66</b><br />
Without this being resolve I have lost my security seal. I am also wondering if this is a security issue in Opencart and if there is something I can do to rectify it.

Thanks for your help.

Re: [v1.5.1.2] SQL Injection Warning?

Posted: Sat Dec 10, 2011 2:13 am
by uksitebuilder
I tried your URL on my test site for 1.5.1.2 and could not reproduce the 'WARNINGS'

The second url was blocked by IE and FF for potential XSS cross site scripting attempt.

Make sure you have 'Display Errors' disabled in admin System - Server tab

Display Errors should not be enabled in a production site.

Re: [v1.5.1.2] SQL Injection Warning?

Posted: Tue Dec 13, 2011 3:48 pm
by england4eva
uksitebuilder wrote:Make sure you have 'Display Errors' disabled in admin System - Server tab

Display Errors should not be enabled in a production site.
I did this and had my site rechecked, now they tell me they couldn't reproduce it and it must of been a false positive. That said before I disabled Display Errors they thought it was a problem. So it seems your advice has worked UKSiteBuilder so thank you :)

Even if it was an error on their part I wasn't aware Display Errors should be disabled.

Re: [v1.5.1.2] SQL Injection Warning?

Posted: Tue Dec 13, 2011 4:06 pm
by uksitebuilder
Most people aren't aware of that. From a developers view, they will (should) know to have it turned off and IMHO, it should be turned off by default when OC is installed.

Most people will be fine with it on, as it really depends on how high the 'error_reporting' php setting is on your server.

If it is set to E_ALL then php will literally moan about every little thing, giving notices, warnings and errors

Of course knowing what the errors and warnings are is a must, but these should be tested and ironed out before going live.

Notices on the other hand will not stop the site from working, but again good to get these ironed out prior to releasing to the public.

Every notice, warning and error is displayed with your server path, so it is a good idea to not show this to the world if/when it occurs.

Re: [v1.5.1.2] SQL Injection Warning?

Posted: Tue Dec 13, 2011 9:14 pm
by Xsecrets
actually php is set to E_ALL by the opencart script, and has errors turned on. It was a huge coding adjustment for me when I first started working with it. Most scripts throw tons of notices. I agree that display errors should be turned off on a production site, but those are still strange errors as they both were mysql_connect errors and opencart does not take any remote input for mysql_connect.