PCI Compliance - SQL injection vulnerability?

The following warnings occurred:

Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.1.31 (Linux)

File	Line	Function
/global.php	783	errorHandler->error
/showthread.php	26	require_once

Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.1.31 (Linux)

File	Line	Function
/global.php	783	errorHandler->error
/showthread.php	26	require_once

Warning [2] Undefined variable $newpmmsg - Line: 40 - File: global.php(841) : eval()'d code PHP 8.1.31 (Linux)

File	Line	Function
/global.php(841) : eval()'d code	40	errorHandler->error
/global.php	841	eval
/showthread.php	26	require_once

Warning [2] Undefined array key "style" - Line: 909 - File: global.php PHP 8.1.31 (Linux)

File	Line	Function
/global.php	909	errorHandler->error
/showthread.php	26	require_once

Warning [2] Undefined property: MyLanguage::$lang_select_default - Line: 5024 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	5024	errorHandler->error
/global.php	909	build_theme_select
/showthread.php	26	require_once

Warning [2] Undefined array key "additionalgroups" - Line: 7162 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	7162	errorHandler->error
/inc/functions.php	5044	is_member
/global.php	909	build_theme_select
/showthread.php	26	require_once

Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	1415	errorHandler->error
/inc/functions.php	1370	fetch_forum_permissions
/showthread.php	137	forum_permissions

Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	1415	errorHandler->error
/inc/functions.php	1380	fetch_forum_permissions
/inc/functions.php	2909	forum_permissions
/showthread.php	621	build_forum_jump

Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	1415	errorHandler->error
/inc/functions.php	1380	fetch_forum_permissions
/inc/functions.php	2909	forum_permissions
/showthread.php	621	build_forum_jump

Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	1415	errorHandler->error
/inc/functions.php	1380	fetch_forum_permissions
/inc/functions.php	2909	forum_permissions
/showthread.php	621	build_forum_jump

Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	1415	errorHandler->error
/inc/functions.php	1380	fetch_forum_permissions
/inc/functions.php	2909	forum_permissions
/showthread.php	621	build_forum_jump

Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	1415	errorHandler->error
/inc/functions.php	1380	fetch_forum_permissions
/inc/functions.php	2909	forum_permissions
/showthread.php	621	build_forum_jump

Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	1415	errorHandler->error
/inc/functions.php	1380	fetch_forum_permissions
/inc/functions.php	2909	forum_permissions
/showthread.php	621	build_forum_jump

Warning [2] Undefined array key "mybb" - Line: 1952 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	1952	errorHandler->error
/inc/functions_indicators.php	41	my_set_array_cookie
/showthread.php	629	mark_thread_read

Warning [2] Undefined property: MyLanguage::$ratings_update_error - Line: 5 - File: showthread.php(732) : eval()'d code PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php(732) : eval()'d code	5	errorHandler->error
/showthread.php	732	eval

Warning [2] Undefined variable $postsdone - Line: 867 - File: showthread.php PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php	867	errorHandler->error

Warning [2] Trying to access array offset on value of type null - Line: 867 - File: showthread.php PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php	867	errorHandler->error

Warning [2] Undefined array key 11451 - Line: 867 - File: showthread.php PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php	867	errorHandler->error

Warning [2] Undefined array key 11453 - Line: 867 - File: showthread.php PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php	867	errorHandler->error

Warning [2] Undefined array key 11453 - Line: 1576 - File: showthread.php PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php	1576	errorHandler->error
/showthread.php	1578	buildtree
/showthread.php	1578	buildtree
/showthread.php	879	buildtree

Warning [2] Undefined array key "additionalgroups" - Line: 7162 - File: inc/functions.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions.php	7162	errorHandler->error
/inc/functions_user.php	844	is_member
/inc/functions_post.php	406	purgespammer_show
/showthread.php	880	build_postbit

Warning [2] Undefined array key "profilefield" - Line: 6 - File: inc/functions_post.php(474) : eval()'d code PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions_post.php(474) : eval()'d code	6	errorHandler->error
/inc/functions_post.php	474	eval
/showthread.php	880	build_postbit

Warning [2] Undefined array key "canonlyreplyownthreads" - Line: 660 - File: inc/functions_post.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions_post.php	660	errorHandler->error
/showthread.php	880	build_postbit

Warning [2] Undefined array key "showimages" - Line: 741 - File: inc/functions_post.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions_post.php	741	errorHandler->error
/showthread.php	880	build_postbit

Warning [2] Undefined array key "showvideos" - Line: 746 - File: inc/functions_post.php PHP 8.1.31 (Linux)

File	Line	Function
/inc/functions_post.php	746	errorHandler->error
/showthread.php	880	build_postbit

Warning [2] Undefined array key "invisible" - Line: 1506 - File: showthread.php PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php	1506	errorHandler->error

Warning [2] Undefined variable $threadnotesbox - Line: 30 - File: showthread.php(1533) : eval()'d code PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php(1533) : eval()'d code	30	errorHandler->error
/showthread.php	1533	eval

Warning [2] Undefined variable $multipage - Line: 33 - File: showthread.php(1533) : eval()'d code PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php(1533) : eval()'d code	33	errorHandler->error
/showthread.php	1533	eval

Warning [2] Undefined variable $multipage - Line: 65 - File: showthread.php(1533) : eval()'d code PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php(1533) : eval()'d code	65	errorHandler->error
/showthread.php	1533	eval

Warning [2] Undefined variable $addremovesubscription - Line: 79 - File: showthread.php(1533) : eval()'d code PHP 8.1.31 (Linux)

File	Line	Function
/showthread.php(1533) : eval()'d code	79	errorHandler->error
/showthread.php	1533	eval

FORUMS

The Form Tools forums are no longer active, but the old posts have been archived here. Please see the Help page on how to get help / report issues.

Thread Rating:

0 Vote(s) - 0 Average
1
2
3
4
5

Thread Modes

PCI Compliance - SQL injection vulnerability?

alexh

Offline

Moderator

Posts: 339
Threads: 42
Joined: Apr 2010
Reputation: 2

#2

Aug 28th, 2014, 4:37 PM

Are you using cPanel/WHM? xxx.xxx.xx.xxx:2087 is the port for cPanel, maybe that has something to do with it? I could be wrong but that might be something else to consider.

Alex

(Aug 28th, 2014, 4:59 AM)jgold723 Wrote: We recently failed our PCI compliance scan and one of the failure items was referred to an SQL injection vulnerability (I've posted the full text of the failure below). The only SQL script we're using is formtools, so I'm guessing that's the source.

We aren't using the API -- so maybe that's the issue -- and that's my question: Does the Formtools API have the necessary cleansing routines built in? Will using the FT API resolve this?

Thanks,

John

And here's the text that the PCI compliance drone spit out:

xxx.xxx.xx.xxx:2087/tcp Blind SQL injection vulnerability in locale
parameter to /.

(I x'd out the IP address)

When a web application uses user- supplied input parameters within SQL queries without first checking them for unexpected characters, it becomes possible for an attacker to manipulate the query.

Reply

Find

« Next Oldest | Next Newest »

Messages In This Thread

PCI Compliance - SQL injection vulnerability? - by jgold723 - Aug 28th, 2014, 4:59 AM

RE: PCI Compliance - SQL injection vulnerability? - by alexh - Aug 28th, 2014, 4:37 PM

RE: PCI Compliance - SQL injection vulnerability? - by jgold723 - Aug 29th, 2014, 4:00 AM

View a Printable Version

Users browsing this thread: 1 Guest(s)

Powered By MyBB, © 2002-2025 MyBB Group.