Hi Justin, Thanks for the reply. We are using QualysGuard Express for the scan:
http://www.qualys.com/smb/qualysguard/express/ I just couldn't locate anywhere within the webtop core that would be a SQL injection. Can you please help a bit more if you can run a scan from your end? Many thanks, On Tue, Jan 7, 2014 at 3:21 PM, Justin Carter <[email protected]>wrote: > That doesn't seem to be SQL injection, it looks like an XSS attempt on > form POST variables (generally harder to trick a user with because it would > have to POST from a different domain, rather then just getting them to > click a link...) > > Can you tell me which scanning tool was used? It would help just to > clarify the type of vulnerability that is identified, and if it's an open > source one then I can also run it myself. > > In the short term, if this is XSS then it can be mitigated by asking your > webtop users to ensure they enter the correct URL or use only their browser > bookmarks for logging into the webtop. > > Longer term, you'd probably want to plan to upgrade to FarCry 7 (and CF10 > or Railo 4) as we are now making use of the ESAPI functions to further > guard against XSS attacks for code within Core. > > cheers, > Justin > > > > On Tuesday, January 7, 2014 2:53:30 PM UTC+11, Xiaofeng Liu wrote: >> >> Hi, >> >> We have an old FarCry 5.2.7 site. A recent WAS security scan reported >> some SQL injection threats around webtop login area: >> >> Detection Information >> Parameter It has been detected by exploiting the parameter >> *farcryFormValidation* of the form located in URL >> http://thewebsite/farcry/core/webtop/login.cfm? >> returnUrl=/index.cfm >> The payloads section will display a list of tests that show how the param >> could have been exploited to collect the information >> >> Payloads >> #1 Request >> Payload FarcryFormPrefixes=login&loginObjectID=E8C4D550-6FBE- >> 11E3-AFD63C4A926C9186&loginTypename=farLogin&lo >> ginusername=John&loginpassword=John&FarcryFormSubmitButton=1234& >> FarcryFormSubmitButtonClickedfarcryF >> orm444678179=1234&FarcryFormSubmitted=farcryForm444678179& >> SelectedObjectID=1234&farcryFormValidation =1%22'%3E%3Cqss%3E& >> FarcryFormsubmitButton >> %3DLog%20In=Log%20In >> Request POST http://thewebsite/farcry/core/webtop/login.cfm?returnUrl=/ >> index.cfm >> >> Same SQL injection threats also reported on: >> >> *SelectedObjectID* >> >> *FarcryFormSubmitted* >> >> *FarcryFormSubmitButton* >> >> *loginpassword* >> >> Can anyone please point us to the right direction about how to fix this? >> >> Thanks >> >> >> -- >> Best regards, >> >> Xiaofeng,^_^ >> > -- > You received this message cos you are subscribed to "farcry-dev" Google > group. > To post, email: [email protected] > To unsubscribe, email: [email protected] > For more options: http://groups.google.com/group/farcry-dev > -------------------------------- > Follow us on Twitter: http://twitter.com/farcry > --- > You received this message because you are subscribed to the Google Groups > "farcry-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Best regards, Xiaofeng,^_^ -- You received this message cos you are subscribed to "farcry-dev" Google group. To post, email: [email protected] To unsubscribe, email: [email protected] For more options: http://groups.google.com/group/farcry-dev -------------------------------- Follow us on Twitter: http://twitter.com/farcry --- You received this message because you are subscribed to the Google Groups "farcry-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
