AndreiMaz
commented
1 week ago It cannot be reproduced.
P.S. Please do not post general web errors not related to nopCommerce
Closed AdamBryner closed 1 week ago
AndreiMaz
commented
1 week ago It cannot be reproduced.
P.S. Please do not post general web errors not related to nopCommerce
nopCommerce version: nopCommerce_4.70.0_NoSource_linux_x64.zip Steps to reproduce the problem: A CGI application hosted on the remote web server is potentially prone to SQL injection attack.
By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, SecurityMetrics was able to get a slower response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system. See also : http://www.securiteam.com/securityreviews/5DP0N1P76E.html http://www.nessus.org/u?ed792cf5 http://projects.webappsec.org/w/page/13246963/SQL%20Injection
Using the GET HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to blind SQL injection (time based) : + The 'pagenumber' parameter of the /3i-osseotite-external-hex-abutments CGI : /3i-osseotite-external-hex-abutments? pagenumber=2));SELECT%20pg_sleep(3) ;--