'LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.'
I think you meant is NOT vulnerable by default =) which is what I thought. I can basically appeal this finding with them, but I wanted to run this by the group before doing that just to make sure.
Basically the vulnerability is with product attributes. Take a look at this page:
It's saying that arbitrary SQL can be injected into the product attribute?? Can anyone confirm this? If not, I will contact them and ask them to elaborate on exactly what SQL was injected.
I think you meant is NOT vulnerable by default =) which is what I thought. I can basically appeal this finding with them, but I wanted to run this by the group before doing that just to make sure.
Basically the vulnerability is with product attributes. Take a look at this page:
It's saying that arbitrary SQL can be injected into the product attribute?? Can anyone confirm this? If not, I will contact them and ask them to elaborate on exactly what SQL was injected.
Thanks, Kevin
Not clear what do you mean, I think, SQL injection should not be possible from the link you sent.
i think it's best if they can do a sql injection to demo.nopcommerce.com to change some value there to prove the point. Maybe the site you give doesnt follow the managed code practice or the way nop system handles database.
Can you provide more details? How do you know that your admin password has not been compromised and they have modified data that way? What data and tables have been affected?
Please see replies above. nopCommerce is not vulnerable to SQL injection. If you think it's vulnerable, please provide a list of steps to reproduce the issue
Hi all, Nop commerce 3.2 we had a SQL Injection attach into the database, table Products. Any suggestion to prevent this? It is business critical.. Thanks in advance
Massimo
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.