developpeur
 24581 
|  Posté : 25-01-2015 18:03
======================================
Reported By - Narendra Bhati
Email - bhati.contact@gmail.com
Security Analyst @ Suma Soft. Pvt. Ltd
======================================
It is a time based sql injection http request = which is taking a time to response which make me confirm that there is a sql injection
===============================================
File : search.php
The verification in search.php that a SQL query is able to execute the sql statement: 'benchmark' establish the potential vulnerability to a SQL injection.
It's brilliant and many thanks to Narendra Bhati (Security Analyst - IT Risk & Security Management Services chez Suma Soft) for this.
Correction:
- The first step to correct is to add the word 'benchmark' in url protect.php (modules/include).
=> add a line below the " delete ", instruction in the sql_injection section => " benchmark ", in order to disable the issue.
- The second step is made directly by the core of NPDS in the sanitation of the SQL flow.
Many thanks one more time to Narendra Bhati. |
