Website security audit

Get help with installation and running phpBB 3.1.x here. Please do not post bug reports, feature requests, or extension related questions here.
Ideas Centre
Forum rules
READ: Board-Wide Rules and Regulations

NOTE: phpBB 3.1.x is at its End of Life stage and support will NOT be provided after July 1st, 2018.
User avatar
Registered User
Posts: 69
Joined: Fri Jul 25, 2014 10:18 pm

Website security audit

Post by cpapaioannou » Sun Oct 30, 2016 4:55 am

Hello all,

I am having problems with a security audit on my site ( regarding Vulnerabilities in Custom Web Code.

The errors are in relation to the following (the 39 failures)

Blind SQL Injection 784 39 745
SQL Injection 952 39 913

One of the errors in more detail -
2. Vulnerabilities in Custom Web Code (High)
Port: http (80/tcp)
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Blind SQL Injection
Affected Parameter: password
Vector Used: VALUE';WAITFOR DELAY '00:00:24';--
Pattern found: Timing test
Complete Attack: [username= &password=';WAITFOR DELAY '00:00:24';-- &login=Login &redirect=./index.php?]

I have obtained a certificate for the site (https) but I am not sure what exactly these are referring to. I will note that when I was hosting the site on my internal NAS, I was not getting these errors, but on the hosting company, they started to come up. Hosting company doesn't seem to know what they are and they directed me to get the https setup with the thought that it would correct the errors.

I hope someone can help clear this up.



Return to “[3.1.x] Support Forum”