Sandshot Software  
   Home   Products   Services   Support   Search   My Account 
SQL Injection Patch for StoreFront 5.0

SQL Injection Patch for StoreFront 5.0

Product ID: SQLInjection
Vendor: Sandshot Software
Description: 

StoreFront 5.0 is vulnerable to SQL Injection attacks. The last release, 50.5, only partially corrected this vulnerability. Many sites have attempted to implement custom error handlers, which I recommend, to "protect" themselves. This is known as "security by obscurity" and is generally not effective. ScanAlert detects these vulnerabilities, to include blind SQL Injection, and can pull your HackerSafe logo. More importantly, this means hackers can access your customers' credit card data (even if it is encrypted it can be easily decrypted), database records can be altered (think changing logins, setting prices to a penny), and the database itself can be deleted.

Ideally, you would secure your application by checking all user input for correctness prior to allowing the input into your database. Further, you would alter the database code to use paramaterized queries instead of using dynamic SQL queries. Based on the experience of doing this in the rewrite of StoreFront 5.0, this would take dozens to hundreds of hours.

This solution actually checks user input before the database connection is established and if malicious input is detected, a warning message is displayed without opening the database thus keeping it protected. Additionally, it is possible to check each user input for type correctness (ex. product codes only alphanumeric, category IDs only numeric) for additional protection.

Features

  • Forms, querystrings, and even cookies are checked for malicious input
  • Detections can be logged for review to allow for tuning of the filters
  • Detections can be emailed
  • User input is screened prior to opening the database connection

Disclaimer: This application is just one layer of defense and while substantial, it should not be considered to be 100% effective.

StoreFront 5.0 SQL Injection Test

Instructions:

Interpreting Results:

  1. If you see a name/credit card number you are vulnerable
  2. If you see a name/encrypted credit card number you are vulnerable
  3. If you see a custom error page you still may be vulnerable. This is just a simple test and there are other techniques which are in use.
Disclaimer: Passing this test can not be interpreted as indicating the site is not vulnerable. If you're running a stock StoreFront 5.0 site you are vulnerable, period. This test is just the simplest, one-step way to demonstrate it. If you're concerned about this being put in the open, it is too late for that. I pulled this test from site server logs; there are automated scanners looking for this now. If you check your logs you will likely see probes like this.


Price: $400.00

Quantity:


Email a Friend

Our Top Sellers




Home | Products | Services | Support | My Account
Privacy | Site Map | About Us | Contact Us
 

StoreFront Hosting provided by Applied Innovations