amc.uscable.net | CWE-89 | SQL Injection | Hoyt LLC Research

Loading

SQL Injection, SQLi, amc.uscable.net, Vulnerability Crawler

Report generated by XSS.CX at Thu Dec 09 19:51:36 CST 2010.

Contents

1. SQL injection


1. SQL injection

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amc.uscable.net
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 11420773%20or%201%3d1--%20 and 11420773%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

Request 1

GET /?111420773%20or%201%3d1--%20=1 HTTP/1.1
Host: amc.uscable.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Thu, 09 Dec 2010 20:58:55 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5
Accept-Ranges: bytes
Content-Length: 5043
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
   <head>
       <title>Apache HTTP Server Test Page powered by CentOS</title>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
       <style type="text/css">
           body {
               background-color: #fff;
               color: #000;
               font-size: 0.9em;
               font-family: sans-serif,helvetica;
               margin: 0;
               padding: 0;
           }
           :link {
               color: #0000FF;
           }
           :visited {
               color: #0000FF;
           }
           a:hover {
               color: #3399FF;
           }
           h1 {
               text-align: center;
               margin: 0;
               padding: 0.6em 2em 0.4em;
               background-color: #3399FF;
               color: #ffffff;
               font-weight: normal;
               font-size: 1.75em;
               border-bottom: 2px solid #000;
           }
           h1 strong {
               font-weight: bold;
           }
           h2 {
               font-size: 1.1em;
               font-weight: bold;
           }
           .content {
               padding: 1em 5em;
           }
           .content-columns {
               /* Setting relative positioning allows for
               absolute positioning for sub-classes */
               position: relative;
               padding-top: 1em;
           }
           .content-column-left {
               /* Value for IE/Win; will be overwritten for other browsers */
               width: 47%;
               padding-right: 3%;
               float: left;
               padding-bottom: 2em;
           }
           .content-column-right {
               /* Values for IE/Win; will be overwritten for other browsers */
               width: 47%;
               padding-left: 3%;
               float: left;
               padding-bottom: 2em;
           }
           .content-columns>.content-column-left, .content-columns>.content-column-right {
               /* Non-IE/Win */
           }
           img {
               border: 2px solid #fff;
               padding: 2px;
               margin: 2px;
           }
           a:hover img {
               border: 2px solid #3399FF;
           }
       </style>
   </head>

   <body>
   <h1>Apache 2 Test Page<br><font size="-1"><strong>powered by</font> Cent
...[SNIP]...

Request 2

GET /?111420773%20or%201%3d2--%20=1 HTTP/1.1
Host: amc.uscable.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Thu, 09 Dec 2010 20:58:55 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5
X-Powered-By: PHP/5.1.6
Content-Length: 3229
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD><TITLE>US CABLE - Account Management Console</TITLE>
<link rel="shortcut icon" href="/favicon.ico">
<link rel="stylesheet" href="/themes/uscable/styles/main.css" type="text/css">
<link rel="stylesheet" href="/themes/uscable/styles/labels.css" type="text/css">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
<script type="text/javascript" src="/JS/swfobject.js"></script>

</HEAD>

<BODY>
<div class='header'>
   <div class='serving'></div>
       <div class='icon'><a href='http://www.uscable.com/contact'><img border=0 width=62 height=72 alt='help' src='/themes/uscable/images/head_contact.gif'></a></div>
   <div class='icon'><a href="http://policies.uscable.com" target='_blank'><img border=0 width=44 height=72 alt='policies' src='/themes/uscable/images/head_policies.gif'></a></div>
       <div class='icon'><a href='http://www.uscable.com/support'><img border=0 width=48 height=72 alt='contact' src='/themes/uscable/images/head_support.gif'></a></div>
       <div class='icon'><a href='https://webmail.uscable.net/' target='_blank'><img border=0 width=44 height=72 alt='help' src='/themes/uscable/images/head_email.gif'></a></div>
   
       <div id="flash_logo" style = "background: #004990;">Loading...</div>

       <script type="text/javascript">
           var so = new SWFObject("/themes/uscable/images/header_animation_4.swf","logo", "704", "73", "#004990");            
           so.write("flash_logo");
       </script>

   </script>
</div>
<div class="page_wrapper nbody">
   <br />
   <br />
   <br />
   <br />
<CENTER>
<TABLE BORDER="0" WIDTH="380" CELLPADDING="0" CELLSPACING="0">
<FORM ACTION="login.php" METH
...[SNIP]...
Report generated by XSS.CX at Thu Dec 09 19:51:36 CST 2010.