Author Topic: Potential SQL injection vulnerability - Found by PCI Check  (Read 3002 times)

beachy

  • Jr. Member
  • **
  • Posts: 277
  • VirtueMart Version: 2.0.22
Potential SQL injection vulnerability - Found by PCI Check
« on: June 01, 2011, 19:01:15 pm »
I am currently trying to secure my site down so that I can use the HSBC payment gateway and as part of this my site puretree.co.uk needs to pass a securitymetrics PCI check.

I have now moved our hosting to Rochen Hosting on a MVS (Virtual Server) platform which will meet the PCI requirements.

The PCI check has found the following security problem with my website but I am not sure where to start in fixing the solution. Has anyone had a similar problem before or has anyone managed to pass the Security Metrics PCI check with a Joomla/VM site?

Full details of the error is below:

Description: SQL injection vulnerability in amp;link parameter to  /component/mailto/ 212.113.150.91212.113.150.91Linux 2.6.23 May 31 08:26:45 2011newSeverity: Critical Problem 7.82372new11Impact: A remote attacker could execute SQL commands on the back-end database, possibly leading to password retrieval, authentication bypass, unauthorized data access, or unauthorized data modification. Background: Structured Query Language (SQL) is the most common language understood by modern relational databases. It is made up of queries. A typical query reads: SELECT * FROM table WHERE condition where table is a table belonging to a relational database, and condition is a logic condition which is either true or false for each row of the table. The query would return any or all rows for which the condition is true. Resolution All user-supplied parameters should be checked for illegal characters, such as a single quote ('), before being used in an SQL query. See the references below for fix information for specific products. Vulnerability Details: Service: http Sent: GET  /component/mailto/?tmpl=component&amp;li nk=' HTTP/1.0 Host: 212.113.150.91 User-Agent: Mozilla/4.0 Connection: Keep-alive Received: ?????<li>An error has occurred while processing your request.</li>

Cheers
_______
Joomla 2.5.11 Virtuemart 2.0.22
Apache 2.2.24 PHP 5.4.13
Hosted By RochenHost.com - MVS

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 27954
  • Always on vacation
    • Jenkin Hill Internet
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VirtueMart 3.8.7 10374 on Joomla 3.9.23 PHP 7.4.12