PCI Compliance - SQL injection vulnerability?

jgold723 · Aug 28th, 2014, 4:59 AM

We recently failed our PCI compliance scan and one of the failure items was referred to an SQL injection vulnerability (I've posted the full text of the failure below). The only SQL script we're using is formtools, so I'm guessing that's the source.

We aren't using the API -- so maybe that's the issue -- and that's my question: Does the Formtools API have the necessary cleansing routines built in? Will using the FT API resolve this?

Thanks,

John

And here's the text that the PCI compliance drone spit out:

xxx.xxx.xx.xxx:2087/tcp Blind SQL injection vulnerability in locale
parameter to /.

(I x'd out the IP address)

When a web application uses user- supplied input parameters within SQL queries without first checking them for unexpected characters, it becomes possible for an attacker to manipulate the query.

**alexh** · Aug 28th, 2014, 4:37 PM

Are you using cPanel/WHM? xxx.xxx.xx.xxx:2087 is the port for cPanel, maybe that has something to do with it? I could be wrong but that might be something else to consider.

Alex

(Aug 28th, 2014, 4:59 AM)jgold723 Wrote: We recently failed our PCI compliance scan and one of the failure items was referred to an SQL injection vulnerability (I've posted the full text of the failure below). The only SQL script we're using is formtools, so I'm guessing that's the source.

We aren't using the API -- so maybe that's the issue -- and that's my question: Does the Formtools API have the necessary cleansing routines built in? Will using the FT API resolve this?

Thanks,

John

And here's the text that the PCI compliance drone spit out:

xxx.xxx.xx.xxx:2087/tcp Blind SQL injection vulnerability in locale
parameter to /.

(I x'd out the IP address)

When a web application uses user- supplied input parameters within SQL queries without first checking them for unexpected characters, it becomes possible for an attacker to manipulate the query.

jgold723 · Aug 29th, 2014, 4:00 AM

Hi Alex:

We are using cpanel/WHM, but the host said that error referred to a script on our site.

It's hard to figure out, because the url isn't specific as to what script or page is vulnerable, but again, formtools is the only mysql script that we are using on the site.

(Aug 28th, 2014, 4:37 PM)alexh Wrote: Are you using cPanel/WHM? xxx.xxx.xx.xxx:2087 is the port for cPanel, maybe that has something to do with it? I could be wrong but that might be something else to consider.

Alex

(Aug 28th, 2014, 4:59 AM)jgold723 Wrote: We recently failed our PCI compliance scan and one of the failure items was referred to an SQL injection vulnerability (I've posted the full text of the failure below). The only SQL script we're using is formtools, so I'm guessing that's the source.

We aren't using the API -- so maybe that's the issue -- and that's my question: Does the Formtools API have the necessary cleansing routines built in? Will using the FT API resolve this?

Thanks,

John

And here's the text that the PCI compliance drone spit out:

xxx.xxx.xx.xxx:2087/tcp Blind SQL injection vulnerability in locale
parameter to /.

(I x'd out the IP address)

When a web application uses user- supplied input parameters within SQL queries without first checking them for unexpected characters, it becomes possible for an attacker to manipulate the query.

FORUMS