SQL Injection Vulnerable?

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
9 years ago
Hello,

I didn't think nop was vulnerable to these attacks, however, we just hired a service (ControlScan) that said it found a way to use SQL Injection.

I can post the specifics here, but I'm not sure that it's good form if this method of attack is legit. How would you like me to proceed?

Thanks!
Kevin
0
9 years ago
nopCommerce using Entity Framework, LINQ to Entities instead of parameterized sql query
LINQ to Entities is  vulnerable to SQL injection by default.

see Security Considerations (Entity Framework) - Prevent SQL injection attacks.

'LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.'
shahdat


Please vote up if my post added any value to the community
1
9 years ago
I think you meant is NOT vulnerable by default =) which is what I thought. I can basically appeal this finding with them, but I wanted to run this by the group before doing that just to make sure.

Basically the vulnerability is with product attributes. Take a look at this page:

https://www.heavyvape.com/smoktech-bcc-replacement-coil

It's saying that arbitrary SQL can be injected into the product attribute?? Can anyone confirm this? If not, I will contact them and ask them to elaborate on exactly what SQL was injected.

Thanks,
Kevin
0
9 years ago
kevlingo wrote:
I think you meant is NOT vulnerable by default =) which is what I thought. I can basically appeal this finding with them, but I wanted to run this by the group before doing that just to make sure.

Basically the vulnerability is with product attributes. Take a look at this page:

https://www.heavyvape.com/smoktech-bcc-replacement-coil

It's saying that arbitrary SQL can be injected into the product attribute?? Can anyone confirm this? If not, I will contact them and ask them to elaborate on exactly what SQL was injected.

Thanks,
Kevin


Not clear what do you mean, I think, SQL injection should not be possible from the link you sent.
shahdat


Please vote up if my post added any value to the community
0
9 years ago
i think it's best if they can do a sql injection to demo.nopcommerce.com to change some value there to prove the point. Maybe the site you give doesnt follow the managed code practice or the way nop system handles database.
1
9 years ago
my new nopCommerce store has been hacked and there is a ton of sql injection now.  Where can I find the vulnerability?
0
9 years ago
Can you provide more details? How do you know that your admin password has not been compromised and they have modified data that way? What data and tables have been affected?
Vibe Learning - Your destination for online courses
www.vibelearning.com.au
0
9 years ago
Hi Kevin,

Please see replies above. nopCommerce is not vulnerable to SQL injection. If you think it's vulnerable, please provide a list of steps to reproduce the issue
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
9 years ago
I am still trying to identify how they accessed.  They appended all text fields where it was set to varchar(max).
0
9 years ago
Hi all, Nop commerce 3.2 we had a SQL Injection attach into the database, table Products. Any suggestion to prevent this? It is business critical.. Thanks in advance

Massimo
Massimo (Italy)

Nop Commerce 2.0 --> 4.606
1
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.