[jQuery] Re: Potential blind sql injection vulnerability with Superfish JS?
The other possibility is that it isn't the suckerfish code, but the actual links you have in your markup that get turned into the menu. If you are handling query string params in any of those links I would start looking there. On Jun 19, 1:45 pm, Olivier Percebois-Garve perceb...@gmail.com wrote: I dont see how superfish relates to sql. Aren't they rather referring to the server-side code handling the navigation ? NationPress wrote: The client we're building a site for recently had a server wide scan done by SecurityMetrics.com for PCI compliance. This was required by their banks commercial credit card service. The report came back with a Possible blind sql injection vulnerability warning level 4 out of 7 for the Superfish menu javascript. Anything 4 and above keeps them out of compliance. This file is for the Superfish menu. Is there a workaround for this potential issue?
[jQuery] Re: Potential blind sql injection vulnerability with Superfish JS?
How is Javascript going to do a SQL injection ? On Fri, Jun 19, 2009 at 08:16, NationPress i...@nationpress.com wrote: The client we're building a site for recently had a server wide scan done by SecurityMetrics.com for PCI compliance. This was required by their banks commercial credit card service. The report came back with a Possible blind sql injection vulnerability warning level 4 out of 7 for the Superfish menu javascript. Anything 4 and above keeps them out of compliance. This file is for the Superfish menu. Is there a workaround for this potential issue?
[jQuery] Re: Potential blind sql injection vulnerability with Superfish JS?
I think it must've been a low level issue. I don't know the internals of Superfish, but maybe the scan couldn't find code to escape()-ing URLs for XSS attacks or something when generating the menu. Obviously Superfish cannot be the cause of SQL injections... it just sends you to other URLs. On Jun 19, 8:10 am, aquaone aqua...@gmail.com wrote: How is Javascript going to do a SQL injection ? On Fri, Jun 19, 2009 at 08:16, NationPress i...@nationpress.com wrote: The client we're building a site for recently had a server wide scan done by SecurityMetrics.com for PCI compliance. This was required by their banks commercial credit card service. The report came back with a Possible blind sql injection vulnerability warning level 4 out of 7 for the Superfish menu javascript. Anything 4 and above keeps them out of compliance. This file is for the Superfish menu. Is there a workaround for this potential issue?
[jQuery] Re: Potential blind sql injection vulnerability with Superfish JS?
I dont see how superfish relates to sql. Aren't they rather referring to the server-side code handling the navigation ? NationPress wrote: The client we're building a site for recently had a server wide scan done by SecurityMetrics.com for PCI compliance. This was required by their banks commercial credit card service. The report came back with a Possible blind sql injection vulnerability warning level 4 out of 7 for the Superfish menu javascript. Anything 4 and above keeps them out of compliance. This file is for the Superfish menu. Is there a workaround for this potential issue?