<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;}
span.EmailStyle22
        {mso-style-type:personal-compose;
        font-family:"Verdana",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">I tested this myself…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Visiting: <site>/pickup.php?getdata=[123]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Results in this in the source: ‘<input type="hidden" name="getdata" id="getdata" value="{&quot;getdata&quot;:&quot;[123]&quot;}"/>'+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">So, whilst pickup.php doesn’t use it the variable, it does cause it to be set in the <input> which would then POST to changelocale.php via JS.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">It is also possible to set the postdata variable for example with curl:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">$ curl -s --data "postdata=[123]" https://<site> /pickup.php | grep 123<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">    '<input type="hidden" name="postdata" id="postdata" value="{&quot;postdata&quot;:&quot;[123]&quot;,&quot;auth&quot;:&quot;0fbecdfffe9da3c642a74605325c944b&quot;}"/>');<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">The data is encoded but it seems like it is normally encoded as it is (noting the auth). It might be feasible to craft something to impact changelocale.php depending
 on how it handles sanitising the getdata/postdata input.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">If it is unexpected to accept input from GET/POST to pickup.php, then it shouldn’t be set and passed to changelocale.php.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">I presume the detection it made was simply that the submitted string appears in the source.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> ZendTo <zendto-bounces@zend.to>
<b>On Behalf Of </b>Jules via ZendTo<br>
<b>Sent:</b> 30 June 2021 12:02<br>
<b>To:</b> ZendTo Users <zendto@zend.to><br>
<b>Cc:</b> Jules <Jules@Zend.To><br>
<b>Subject:</b> Re: [ZendTo] Potential SQL injection vulnerability?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid #9C6500 1.0pt;padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal" style="line-height:12.0pt;background:#FFB366"><span style="font-size:10.0pt;color:black">CAUTION: External email. Ensure this message is from a trusted source before clicking links/attachments. If you are concerned forward this email to
<a href="mailto:spam@abdn.ac.uk">spam@abdn.ac.uk</a> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Neil,<br>
<br>
Curious.<br>
<br>
What I can definitely say is that "pickup.php" does not have a parameter called "getdata", so you can set that to anything you like and it shouldn't have any effect whatsoever.<br>
<br>
"changelocale.php" does, but that's not where they found any problem.<br>
<br>
And even in "changelocale.php" it isn't recognised as a GET parameter, only a POST. So again, setting it in the URL can't have any effect.<br>
<br>
So I would say this is a false positive.<br>
<br>
Cheers,<br>
Jules.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 24/06/2021 09:54, Neil via ZendTo wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello Jules <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I’ve conducted an OWASP web application test against our installation of zend.to, using ZAP (<a href="https://www.zaproxy.org">https://www.zaproxy.org</a>).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It has indicated one potential high risk, as a potential SQL injection vulnerability.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Do you have any thoughts on this, and whether it is a false positive, please?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Best wishes<o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:black"><br>
Neil<br>
<br>
<o:p></o:p></span></p>
</div>
</div>
</div>
<table class="MsoNormalTable" border="0" cellpadding="0" width="100%" style="width:100.0%">
<tbody>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">Description<o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">SQL injection may be possible.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td colspan="2" valign="top" style="padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:3.0pt 15.0pt 3.0pt 15.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">URL</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><a href="https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5%20c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb366%208e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22">https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22aut
 h%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%
 5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getput=&goingto=&gothere=pickup.php&locale=&postdata=%7B%22auth%22%3A%22%22%7D&postdata=%7B%22auth%22%3A%2295ca1f5b66aba21cc2698ead33d03285%22%7D&postdata=%7B%22auth%22%3A%22a6d31fa9ec46a6cffb3668e43af5c28b%22%7D&template=claimid_box.tpl</a></span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:3.0pt 30.0pt 3.0pt 30.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Method</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">GET</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:3.0pt 30.0pt 3.0pt 30.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Parameter</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">getdata</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:3.0pt 30.0pt 3.0pt 30.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Attack</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">[]' AND '1'='1</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:3.0pt 15.0pt 3.0pt 15.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">URL</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><a href="https://filetransfer.decoded.legal/pickup.php">https://filetransfer.decoded.legal/pickup.php</a></span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:3.0pt 30.0pt 3.0pt 30.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Method</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">POST</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:3.0pt 30.0pt 3.0pt 30.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Parameter</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">claimID</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:3.0pt 30.0pt 3.0pt 30.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Attack</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">ZAP" AND "1"="1" -- </span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Instances</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">2</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Solution</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Do not trust client side input, even if there is client side validation in place. </span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">In general, type check all data on the server side.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by
 '?'</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">If database Stored Procedures can be used, use them.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate',
 or equivalent functionality!</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Do not create dynamic SQL queries using simple string concatenation.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Escape all data received from the client.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Apply the principle of least privilege by using the least privileged database user possible.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection,
 but minimizes its impact.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Grant the minimum database access that is necessary for the application.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="20%" style="width:20.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Other information</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td width="80%" style="width:80.0%;background:#E8E8E8;padding:2.25pt 3.0pt 2.25pt 3.0pt;word-break:break-word">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">The page results were successfully manipulated using the boolean conditions [[]' AND '1'='1] and [[]'
 AND '1'='2]</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Data was returned for the original parameter.</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">The vulnerability was detected by successfully restricting the data originally returned, by manipulating
 the parameter</span><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>'Once is happenstance, twice is coincidence, three times is enemy<o:p></o:p></pre>
<pre> action.' - Ian Fleming<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
</div>
</div>
<br>
<br>
The University of Aberdeen is a charity registered in Scotland, No SC013683.<br>
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.
</body>
</html>