About SQL Injection and Cross Site Scripting Security Advisors

We have recently been contacted by a security portal about alleged serious vulnerabilities found in Comersus Cart. Similarly to past occasions, the vulnerability report is incomplete, amateurish and riddled with errors. The following are our notes on this report.

Date: July-2007

1. Regarding versions: The report states that vulnerabilities have been found in version 7.07, but that previous versions have them too and version 7.08 could also be affected. Security specialists can only advise about versions they have actually tested. Predicting and deducting have no place in a serious security report.

2. About SQL Injection: Comersus uses filtering functions to avoid SQL Injection attacks. SQL Injection attacks are of great concern to any dynamic application with access to data, since they allow modifying or querying information in the database bypassing permissions set for the application. The report claims that Comersus 7.08 has a SQL Hole and provides the following URL as evidence: comersus_optReviewReadExec.asp?idProduct='. This URL prompts a database error, since the entry is not as expected. However, the entry string to the variable Querystring idProduct is correctly filtered, both by extension and type of character, to prevent attacks. The above does not pose any certain threat or prove any vulnerability, and it is irresponsible to use a term such as "SQL Hole".

3. About Cross Site Scripting Pages: Three alleged exploits are presented, where Comersus prints on screen the string: XSS. This is not a vulnerability. While it is possible to create a URL to display texts not originated in the site, this is not a security issue since those texts are part of the URL and it is clear that they are originated in the makeup of such URL.

4. About Cross Site Scripting Exploits: Comersus has filtering levels to prevent the printing of scripts by means of the script tag, therefore this vulnerability is not present.

5. About Phishing: Comersus has filtering levels to prevent generating code containing the symbols required by the form in the example presented in the report. The example only prints on screen the text of the form.

Conclusions: All software application, even developed by companies with big quality assurance and testing budgets, may have bugs and vulnerabilities. It is essential, then, for users to stay in touch with the providers of their software solutions, and in the case of security reports, even from a doubtful source, to be able to understand the information presented and check their installations for vulnerabilities if necessary.

Some installations may be vulnerable to attacks due to customizations or specific configurations, such as filtering levels. So, if you have any doubts regarding security reports which may affect your store, you can contact us for information or an assessment of your installation.

Comersus Open Technologies

>> Download Free Comersus ASP Shopping Cart here...

>> Visit our online demo here...

>> Contact Comersus here...