<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Neil,<br>
<br>
Curious.<br>
<br>
What I can definitely say is that "pickup.php" does not have a
parameter called "getdata", so you can set that to anything you like
and it shouldn't have any effect whatsoever.<br>
<br>
"changelocale.php" does, but that's not where they found any
problem.<br>
<br>
And even in "changelocale.php" it isn't recognised as a GET
parameter, only a POST. So again, setting it in the URL can't have
any effect.<br>
<br>
So I would say this is a false positive.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
<div class="moz-cite-prefix">On 24/06/2021 09:54, Neil via ZendTo
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:WM!caa6c42cb5f8bf6a50d9d167b70fdc7519824d156b6674f633668ebc4c082a32074eb9df87c8444b3fcd0412fd1a5a0a!@mx.jul.es">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Hello Jules
<div class=""><br class="">
</div>
<div class="">I’ve conducted an OWASP web application test against
our installation of zend.to, using ZAP (<a
href="https://www.zaproxy.org" class="moz-txt-link-freetext"
moz-do-not-send="true">https://www.zaproxy.org</a>).</div>
<div class=""><br class="">
</div>
<div class="">It has indicated one potential high risk, as a
potential SQL injection vulnerability.</div>
<div class=""><br class="">
</div>
<div class="">Do you have any thoughts on this, and whether it is
a false positive, please?</div>
<div class=""><br class="">
</div>
<div class="">Best wishes</div>
<div class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break: after-white-space;"
class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break: after-white-space;"
class=""><br class="">
Neil<br class="">
<br class="">
<br class="">
</div>
</div>
</div>
<table class="results" style="border: none; font-size: 13px;
font-family: "Helvetica Neue", Helvetica, Arial,
sans-serif;" width="100%">
<tbody class="">
<tr class="" bgcolor="#e8e8e8">
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="20%">Description</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">
<p class="">SQL injection may be possible.</p>
</td>
</tr>
<tr class="" valign="top">
<td colspan="2" style="padding: 3px 4px; word-break:
break-word;" class=""><br>
</td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td class="indent1" style="padding: 4px 20px; word-break:
break-word;" width="20%">URL</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%"><a
href="https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getput=&goingto=&gothere=pickup.php&locale=&postdata=%7B%22auth%22%3A%22%22%7D&postdata=%7B%22auth%22%3A%2295ca1f5b66aba21cc2698ead33d03285%22%7D&postdata=%7B%22auth%22%3A%22a6d31fa9ec46a6cffb3668e43af5c28b%22%7D&template=claimid_box.tpl"
class="" moz-do-not-send="true">https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getput=&goingto=&gothere=pickup.php&locale=&postdata=%7B%22auth%22%3A%22%22%7D&postdata=%7B%22auth%22%3A%2295ca1f5b66aba21cc2698ead33d03285%22%7D&postdata=%7B%22auth%22%3A%22a6d31fa9ec46a6cffb3668e43af5c28b%22%7D&template=claimid_box.tpl</a></td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td class="indent2" style="padding: 4px 40px; word-break:
break-word;" width="20%">Method</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">GET</td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td class="indent2" style="padding: 4px 40px; word-break:
break-word;" width="20%">Parameter</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">getdata</td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td class="indent2" style="padding: 4px 40px; word-break:
break-word;" width="20%">Attack</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">[]' AND '1'='1</td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td class="indent1" style="padding: 4px 20px; word-break:
break-word;" width="20%">URL</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%"><a
href="https://filetransfer.decoded.legal/pickup.php"
class="moz-txt-link-freetext" moz-do-not-send="true">https://filetransfer.decoded.legal/pickup.php</a></td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td class="indent2" style="padding: 4px 40px; word-break:
break-word;" width="20%">Method</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">POST</td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td class="indent2" style="padding: 4px 40px; word-break:
break-word;" width="20%">Parameter</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">claimID</td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td class="indent2" style="padding: 4px 40px; word-break:
break-word;" width="20%">Attack</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">ZAP" AND "1"="1" -- </td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="20%">Instances</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">2</td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="20%">Solution</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">
<p class="">Do not trust client side input, even if
there is client side validation in place. </p>
<p class="">In general, type check all data on the
server side.</p>
<p class="">If the application uses JDBC, use
PreparedStatement or CallableStatement, with
parameters passed by '?'</p>
<p class="">If the application uses ASP, use ADO Command
Objects with strong type checking and parameterized
queries.</p>
<p class="">If database Stored Procedures can be used,
use them.</p>
<p class="">Do *not* concatenate strings into queries in
the stored procedure, or use 'exec', 'exec immediate',
or equivalent functionality!</p>
<p class="">Do not create dynamic SQL queries using
simple string concatenation.</p>
<p class="">Escape all data received from the client.</p>
<p class="">Apply an 'allow list' of allowed characters,
or a 'deny list' of disallowed characters in user
input.</p>
<p class="">Apply the principle of least privilege by
using the least privileged database user possible.</p>
<p class="">In particular, avoid using the 'sa' or
'db-owner' database users. This does not eliminate SQL
injection, but minimizes its impact.</p>
<p class="">Grant the minimum database access that is
necessary for the application.</p>
</td>
</tr>
<tr class="" bgcolor="#e8e8e8">
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="20%">Other information</td>
<td style="padding: 3px 4px; word-break: break-word;"
class="" width="80%">
<p class="">The page results were successfully
manipulated using the boolean conditions [[]' AND
'1'='1] and [[]' AND '1'='2]</p>
<p class="">The parameter value being modified was NOT
stripped from the HTML output for the purposes of the
comparison</p>
<p class="">Data was returned for the original
parameter.</p>
<p class="">The vulnerability was detected by
successfully restricting the data originally returned,
by manipulating the parameter</p>
</td>
</tr>
</tbody>
</table>
<div class=""><br class="">
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Once is happenstance, twice is coincidence, three times is enemy
action.' - Ian Fleming
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</body>
</html>