I am having problems with a security audit on my site (https://wssa.beyondsecurity.com
) regarding Vulnerabilities in Custom Web Code.
The errors are in relation to the following (the 39 failures)
Blind SQL Injection 784 39 745
SQL Injection 952 39 913
One of the errors in more detail -
2. Vulnerabilities in Custom Web Code (High)
Port: http (80/tcp)
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.
Blind SQL Injection
Affected Parameter: password
Vector Used: VALUE';WAITFOR DELAY '00:00:24';--
Pattern found: Timing test
Complete Attack: http://www.princessplace.ca/ucp.php?mode=login
[username= &password=';WAITFOR DELAY '00:00:24';-- &login=Login &redirect=./index.php?]
I have obtained a certificate for the site (https) but I am not sure what exactly these are referring to. I will note that when I was hosting the site on my internal NAS, I was not getting these errors, but on the hosting company, they started to come up. Hosting company doesn't seem to know what they are and they directed me to get the https setup with the thought that it would correct the errors.
I hope someone can help clear this up.