SQL Injection Patch for StoreFront 5.0
Product ID: SQLInjection
Vendor: Sandshot Software
StoreFront 5.0 is vulnerable to SQL Injection attacks. The last release, 50.5, only partially corrected this vulnerability. Many sites have attempted to implement custom error handlers, which I recommend, to "protect" themselves. This is known as "security by obscurity" and is generally not effective. ScanAlert detects these vulnerabilities, to include blind SQL Injection, and can pull your HackerSafe logo. More importantly, this means hackers can access your customers' credit card data (even if it is encrypted it can be easily decrypted), database records can be altered (think changing logins, setting prices to a penny), and the database itself can be deleted.
Ideally, you would secure your application by checking all user input for correctness prior to allowing the input into your database. Further, you would alter the database code to use paramaterized queries instead of using dynamic SQL queries. Based on the experience of doing this in the rewrite of StoreFront 5.0, this would take dozens to hundreds of hours.
This solution actually checks user input before the database connection is established and if malicious input is detected, a warning message is displayed without opening the database thus keeping it protected. Additionally, it is possible to check each user input for type correctness (ex. product codes only alphanumeric, category IDs only numeric) for additional protection.
- Forms, querystrings, and even cookies are checked for malicious input
- Detections can be logged for review to allow for tuning of the filters
- Detections can be emailed
- User input is screened prior to opening the database connection
Disclaimer: This application is just one layer of defense and while substantial, it should not be considered to be 100% effective.