NPDS : Gestion de contenu et de communauté
Content & Community Management System (CCMS) robuste, sécurisé, complet, performant, parlant vraiment français, libre (Open-Source) et gratuit.
20 visiteur(s) et 1 membre(s) en ligne.
Autres infos
Activité du Site
Pages vues depuis 25/05/2001 : 108 510 642
- Nb. de membres 8 693
- Nb. d'articles 1 695
- Nb. de forums 26
- Nb. de sujets 8
- Nb. de critiques 92
Index du forum »» Sécurité »» search.php - time based sql injection
Nouveau sujet
search.php - time based sql injection #26233Répondre
1Contributeur(s)
3 Modérateur(s)
developpeur
======================================
Reported By - Narendra Bhati
Email - bhati.contact@gmail.com
Security Analyst @ Suma Soft. Pvt. Ltd
======================================
It is a time based sql injection http request = which is taking a time to response which make me confirm that there is a sql injection
===============================================
File : search.php
The verification in search.php that a SQL query is able to execute the sql statement: 'benchmark' establish the potential vulnerability to a SQL injection.
It's brilliant and many thanks to Narendra Bhati (Security Analyst - IT Risk & Security Management Services chez Suma Soft) for this.
Correction:
- The first step to correct is to add the word 'benchmark' in url protect.php (modules/include).
=> add a line below the " delete ", instruction in the sql_injection section => " benchmark ", in order to disable the issue.
- The second step is made directly by the core of NPDS in the sanitation of the SQL flow.
Many thanks one more time to Narendra Bhati.
Reported By - Narendra Bhati
Email - bhati.contact@gmail.com
Security Analyst @ Suma Soft. Pvt. Ltd
======================================
It is a time based sql injection http request = which is taking a time to response which make me confirm that there is a sql injection
===============================================
File : search.php
The verification in search.php that a SQL query is able to execute the sql statement: 'benchmark' establish the potential vulnerability to a SQL injection.
It's brilliant and many thanks to Narendra Bhati (Security Analyst - IT Risk & Security Management Services chez Suma Soft) for this.
Correction:
- The first step to correct is to add the word 'benchmark' in url protect.php (modules/include).
=> add a line below the " delete ", instruction in the sql_injection section => " benchmark ", in order to disable the issue.
- The second step is made directly by the core of NPDS in the sanitation of the SQL flow.
Many thanks one more time to Narendra Bhati.
developpeur
Ce post reprends en anglais le topic déjà discuté ici => http://www.npds.org/viewtopic.php?topic=26189&forum=12
La correction sera mise à disposition rapidement
La correction sera mise à disposition rapidement