SQL Injection, Blind SQL Injection and XSS, oh my - Joomla! Forum - community, help and support

-

when ibm appscan enterprise 9.0.2.0 scans our joomla 3.5.1/php 5.6.9/rhel6 website reports of following problems: 1) sql injection, 2) blind sql injection , 3) cross site scripting. unless can remediate these, can't use joomla. including excerpts these reports below. i'd happy supply full report if helps. (i tried include more of report stymied illegal characters.)

there multiple reports of blind sql injection, having "return" parameter:

[high] blind sql injection
issue: 132693140
severity: high
url: https://130.14.87.95/browse-repository/software/nlp-information-extraction/named-entity-recognition/36-abner
parameter: return
risk(s): possible view, modify or delete database entries , tables
fix: review possible solutions hazardous character injection

there sql injection issue involving "option" parameter:

[high] sql injection
issue: 132571376
severity: high
url: https://130.14.87.95/index.php
parameter: option
risk(s): possible view, modify or delete database entries , tables
fix: review possible solutions hazardous character injection

and lastly, there xss issue:

[high] cross-site scripting
issue: 132569149
severity: high
url: https://130.14.87.95/browse-repository/search
parameter: searchword
risk(s): possible steal or manipulate customer session , cookies, might used impersonate legitimate user,
allowing hacker view or alter user records, , perform transactions user
fix: review possible solutions hazardous character injection

please see:
viewtopic.php?f=621&t=582860





Comments

Post a Comment

Popular posts from this blog

Upgrade 3.4.8 to 3.5.1 failed "download package failed" - Joomla! Forum - community, help and support

-
hi guys there numerous threads on issue reading don't give simple solution. i stubborn guy , stick method suggested. hence placed stable3.5.1update-package.zip in local site /tmp file. pc connected web joomal 3.4.8 telling there new version. when click "install update", says "download of update package failed." unzip file , placed them in tmp folder, same error. as stated earlier want stick method quick straight forward. there must fix method. appreciate response. jm3.51updatefail.jpg make backup download joomla_3.5.1-stable-update_package.zip , use method b or c of https://docs.joomla.org/j3.x:upgrading_ ... 4.x_to_3.5 Board index Joomla! 3.x - Ask Support Questions Here Migrating and Upgrading to Joomla! 3.x
Read more

Joomal 3.6.3 update error - PHP temporary folder is not set - Joomla! Forum - community, help and support

-
hello, my current joomla version 3.6.0/joomla platform 13.1.0 (php version 5.6.18) , when tried update joomla 3.6.3 url, gave me "php temporary folder not set" error. tried update zip file local folder , gave me errors below. error com_installer_msg_install_warninstalluploaderror com_installer_msg_warnings_smalluploadsize please advise me how avoid above errors. if need create temporary folder, go? if need increase max_file_uploads in php.ini file, should value be? my website hosting company not joomla specialist, need know values required joomla work correctly! thanks in anticipation qamar qamar_uddin wrote: hello, gave me "php temporary folder not set" error. viewtopic.php?t=929087#p3415747 Board index Joomla! 3.x - Ask Support Questions Here Migrating and Upgrading to Joomla! 3.x
Read more

Fatal error during instalation - Joomla! Forum - community, help and support

-
Image
hi -- after after loading files of joomla 3.5 program, went site , tried open complete installation. got message: fatal error: require_once(): failed opening required '/homepages/37/d199794875/htdocs/gnustories/libraries/import.legacy.php' (include_path='.:/usr/lib/php5.5') in /homepages/37/d199794875/htdocs/gnustories/includes/framework.php on line 15 ran fpa program. hope way make available here. http://gnustories.org/fpa-en.php winku your domain name seems not working - not showing fpa report php page holding page generated isp (1 & 1) the easier way generate report fpa script , copy reply of thread (that intended way done). suggest review instructions on generating report makes format suitable forum. Board index Joomla! 3.x - Ask Support Questions Here Installation Joomla! 3.x
Read more