CGI Generic SQL Injection threat

4 months ago
Hi Everyone
I have a client that is looking to implement a bank's payment gateway on their website. The bank is obviously very stringent about security and runs a regular security check on the server via Security Metrics. The server has passed in previous checks, but the last check gave us a FAIL. The reason for the fasil is listed below, but I am not sure what they mean by this. Can anybody shed some light and maybe a solution? (I have removed the actual website URL and metadata in case this notice actual reveals a hole that can be compromised)


443  TCP  www  CGI Generic SQL Injection (blind, time based)

CGI Generic SQL Injection (blind, time based)

A CGI application hosted on the remote web server is potentially prone to SQL injection attack.

By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, SecurityMetrics was able to get a slower response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system. See also :

Modify the affected CGI scripts so that they properly escape arguments.

Data Received
Using the GET HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to blind SQL injection (time based) : + The 'q' parameter of the /search CGI : /search?q='%20AND%20SLEEP(8)=' -------- output -------- <!DOCTYPE html> <html lang="en" dir="ltr" class="html-search-page"> <head> <title>#### O [...] <meta http-equiv="Content-type" content="text/html;charset=UTF-8" /> <meta name="description" content="#### is Aus [...] <meta name="keywords" content="####------------------------ Clicking directly on these URLs should exhibit the issue : (you will probably need to read the HTML source)'%20AND%20SLEEP(8)='


Let me know your thoughts.

Thanks as always!
4 months ago
This has probably been discussed before here.
4 months ago
Thanks Romanov