<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Mark,<br>
<br>
Thanks for that more detailed analysis.<br>
<br>
All changelocale.php does with the getdata/postdata input is put it
into $_GET and $_POST of the script that rendered the page (having
switched language). All the checking of the GET/POST data is done by
the other scripts. So if there are no problems with the input
handling of the other scripts, changelocale can't add any problems.
Yes, its HTML output will mirror its input (including GET/POST
parameters) but it doesn't actually do anything itself with that
data, it just passes it through.<br>
<br>
So I still think this is a false positive.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
<div class="moz-cite-prefix">On 30/06/2021 13:10, Sangster, Mark via
ZendTo wrote:<br>
</div>
<blockquote type="cite"
cite="mid:WM!ba8cb3afbc4159e8ec467136c8957d817c9c556ca4d900d38f084bc3a6eb2d3be799cba8e54d19fbec2b99397232135c!@mx.jul.es">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Verdana",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">I
tested this myself…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Visiting:
<site>/pickup.php?getdata=[123]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Results
in this in the source: ‘<input type="hidden"
name="getdata" id="getdata"
value="{"getdata":"[123]"}"/>'+<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">So,
whilst pickup.php doesn’t use it the variable, it does cause
it to be set in the <input> which would then POST to
changelocale.php via JS.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">It
is also possible to set the postdata variable for example
with curl:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">$
curl -s --data "postdata=[123]" https://<site>
/pickup.php | grep 123<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">
'<input type="hidden" name="postdata" id="postdata"
value="{"postdata":"[123]","auth":"0fbecdfffe9da3c642a74605325c944b"}"/>');<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">The
data is encoded but it seems like it is normally encoded as
it is (noting the auth). It might be feasible to craft
something to impact changelocale.php depending on how it
handles sanitising the getdata/postdata input.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">If
it is unexpected to accept input from GET/POST to
pickup.php, then it shouldn’t be set and passed to
changelocale.php.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">I
presume the detection it made was simply that the submitted
string appears in the source.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> ZendTo <a class="moz-txt-link-rfc2396E" href="mailto:zendto-bounces@zend.to"><zendto-bounces@zend.to></a>
<b>On Behalf Of </b>Jules via ZendTo<br>
<b>Sent:</b> 30 June 2021 12:02<br>
<b>To:</b> ZendTo Users <a class="moz-txt-link-rfc2396E" href="mailto:zendto@zend.to"><zendto@zend.to></a><br>
<b>Cc:</b> Jules <a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To"><Jules@Zend.To></a><br>
<b>Subject:</b> Re: [ZendTo] Potential SQL injection
vulnerability?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid #9C6500 1.0pt;padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FFB366"><span
style="font-size:10.0pt;color:black">CAUTION: External
email. Ensure this message is from a trusted source before
clicking links/attachments. If you are concerned forward
this email to
<a href="mailto:spam@abdn.ac.uk" moz-do-not-send="true"
class="moz-txt-link-freetext">spam@abdn.ac.uk</a> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Neil,<br>
<br>
Curious.<br>
<br>
What I can definitely say is that "pickup.php" does not have
a parameter called "getdata", so you can set that to
anything you like and it shouldn't have any effect
whatsoever.<br>
<br>
"changelocale.php" does, but that's not where they found any
problem.<br>
<br>
And even in "changelocale.php" it isn't recognised as a GET
parameter, only a POST. So again, setting it in the URL
can't have any effect.<br>
<br>
So I would say this is a false positive.<br>
<br>
Cheers,<br>
Jules.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 24/06/2021 09:54, Neil via ZendTo
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello Jules <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I’ve conducted an OWASP web
application test against our installation of zend.to,
using ZAP (<a href="https://www.zaproxy.org"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.zaproxy.org</a>).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It has indicated one potential high
risk, as a potential SQL injection vulnerability.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Do you have any thoughts on this, and
whether it is a false positive, please?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Best wishes<o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="color:black"><br>
Neil<br>
<br>
<o:p></o:p></span></p>
</div>
</div>
</div>
<table class="MsoNormalTable" style="width:100.0%"
width="100%" cellpadding="0" border="0">
<tbody>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif">Description<o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">SQL
injection may be possible.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:2.25pt 3.0pt 2.25pt
3.0pt;word-break:break-word" valign="top">
<br>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:3.0pt
15.0pt 3.0pt 15.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">URL</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><a
href="https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5%20c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb366%208e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22"
moz-do-not-send="true">https://filetransfer.decoded.legal/pickup.php?getdata=%5B%5D%27+AND+%271%27%3D%271&getdata=%7B%22getdata%22%3A%22%5B%5D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%5C%5C%22%3A%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22aut
h%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getdata=%7B%22getdata%22%3A%22%7B%5C%22getdata%5C%22%3A%5C%22%7B%5C%5C%5C%22getdata%5C%5C%5C%22%3A%5C%5C%5C%22%5B%5D%5C%5C%5C%22%2C%5C%5C%5C%22getput%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22goingto%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22gothere%5C%5C%5C%22%3A%5C%5C%5C%22pickup.php%5C%5C%5C%22%2C%5C%5C%5C%22locale%5C%5C%5C%22%3A%5C%5C%5C%22%5C%5C%5C%22%2C%5C%5C%5C%22postdata%5C%5C%5C%22%3A%5C%5C%5C%22%7B%5C%5C%5C%5C%5C%5C%5C%22auth%5C%5C%5C%5C%5C%5C%5C%22%3A%5C%5C%5C%5C%5C%5C%5C%2295ca1f5b66aba21cc2698ead33d03285%5C%5C%5C%5C%5C%5C%5C%22%7D%5C%5C%5C%22%2C%5C%5C%5C%22template%5C%5C%5C%22%3A%5C%5C%5C%22claimid_box.tpl%5C%5C%5C%22%7D%5C%22%2C%5C%22getput%5C%22%3A%5C%22%5C%22%2C%5C%22goingto%5C%22%3A%5C%22%5C%22%2C%5C%22gothere%5C%22%3A%5C%22pickup.php%5C%22%2C%5C%22locale%5C%22%3A%5C%22%5C%22%2C%5C%22postdata%5C%22%3A%5C%22%7B%5C%5C%5C%22auth%5C%
5C%5C%22%3A%5C%5C%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%5C%5C%22%7D%5C%22%2C%5C%22template%5C%22%3A%5C%22claimid_box.tpl%5C%22%7D%22%2C%22getput%22%3A%22%22%2C%22goingto%22%3A%22%22%2C%22gothere%22%3A%22pickup.php%22%2C%22locale%22%3A%22%22%2C%22postdata%22%3A%22%7B%5C%22auth%5C%22%3A%5C%22a6d31fa9ec46a6cffb3668e43af5c28b%5C%22%7D%22%2C%22template%22%3A%22claimid_box.tpl%22%7D&getput=&goingto=&gothere=pickup.php&locale=&postdata=%7B%22auth%22%3A%22%22%7D&postdata=%7B%22auth%22%3A%2295ca1f5b66aba21cc2698ead33d03285%22%7D&postdata=%7B%22auth%22%3A%22a6d31fa9ec46a6cffb3668e43af5c28b%22%7D&template=claimid_box.tpl</a></span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:3.0pt
30.0pt 3.0pt 30.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Method</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">GET</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:3.0pt
30.0pt 3.0pt 30.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Parameter</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">getdata</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:3.0pt
30.0pt 3.0pt 30.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Attack</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">[]'
AND '1'='1</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:3.0pt
15.0pt 3.0pt 15.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">URL</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black"><a
href="https://filetransfer.decoded.legal/pickup.php"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://filetransfer.decoded.legal/pickup.php</a></span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:3.0pt
30.0pt 3.0pt 30.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Method</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">POST</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:3.0pt
30.0pt 3.0pt 30.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Parameter</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">claimID</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:3.0pt
30.0pt 3.0pt 30.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Attack</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">ZAP"
AND "1"="1" -- </span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Instances</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">2</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Solution</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Do
not trust client side input, even if there is
client side validation in place. </span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">In
general, type check all data on the server
side.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">If
the application uses JDBC, use
PreparedStatement or CallableStatement, with
parameters passed by '?'</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">If
the application uses ASP, use ADO Command
Objects with strong type checking and
parameterized queries.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">If
database Stored Procedures can be used, use
them.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Do
*not* concatenate strings into queries in the
stored procedure, or use 'exec', 'exec
immediate', or equivalent functionality!</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Do
not create dynamic SQL queries using simple
string concatenation.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Escape
all data received from the client.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Apply
an 'allow list' of allowed characters, or a
'deny list' of disallowed characters in user
input.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Apply
the principle of least privilege by using the
least privileged database user possible.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">In
particular, avoid using the 'sa' or 'db-owner'
database users. This does not eliminate SQL
injection, but minimizes its impact.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Grant
the minimum database access that is necessary
for the application.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td
style="width:20.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="20%">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Other
information</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td
style="width:80.0%;background:#E8E8E8;padding:2.25pt
3.0pt 2.25pt 3.0pt;word-break:break-word"
width="80%">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">The
page results were successfully manipulated
using the boolean conditions [[]' AND '1'='1]
and [[]' AND '1'='2]</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">The
parameter value being modified was NOT
stripped from the HTML output for the purposes
of the comparison</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">Data
was returned for the original parameter.</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif;color:black">The
vulnerability was detected by successfully
restricting the data originally returned, by
manipulating the parameter</span><span
style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a href="mailto:ZendTo@zend.to" moz-do-not-send="true" class="moz-txt-link-freetext">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a href="http://jul.es/mailman/listinfo/zendto" moz-do-not-send="true" class="moz-txt-link-freetext">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>'Once is happenstance, twice is coincidence, three times is enemy<o:p></o:p></pre>
<pre> action.' - Ian Fleming<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
</div>
</div>
<br>
<br>
The University of Aberdeen is a charity registered in Scotland, No
SC013683.<br>
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba,
Àir. SC013683.
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'We are such stuff as dreams are made on.
And our little life is rounded with a sleep.'
- Starfleet Admiral Jean-Luc Picard (retired)
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</body>
</html>