Watch, Follow, &
Connect with Us

Please visit our new home
community.embarcadero.com.


Welcome, Guest
Guest Settings
Help

Thread: SQL injection vulnerabilities


This question is answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 6 - Last Post: Jul 28, 2016 7:26 AM Last Post By: Craig Burke
Craig Burke

Posts: 15
Registered: 4/28/07
SQL injection vulnerabilities  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jul 25, 2016 10:26 AM
I have a client that is using a web app (Stand Alone) designed using XE2 and Intraweb XII (12.2.31).
Their IT found that it is vulnerable to SQL injection. What do I need to do to fix this.

It also display their IP address in the address bar. How do I hide it?

Thanks,
Craig

Edited by: Craig Burke on Jul 25, 2016 10:29 AM
Daniel Fields

Posts: 619
Registered: 11/29/04
Re: SQL injection vulnerabilities  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jul 25, 2016 12:47 PM   in response to: Craig Burke in response to: Craig Burke
1. I highly doubt that your application is vulnerable to a SQL injection attack. I have been told that a few times in the past only to find out that the test used was flawed. If you have a login screen to your application, it would be difficult for them to even perform the test. Because of IW structure many traditional tests cannot even be executed. There is no way for a testing to start a session on the server unless you have given them a way to do so.

A SQL injection means that an attacker can put raw SQL code into an edit a form, submit it, and then your application crashes to a SQL prompt, thereby allowing the attacker full access to the database. Another way this can be done is by passing parameters to your application.

If your application takes parameters like this: http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike, it could be attacked like this: +http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+(select+count(*)+from+fake)+%3e0+OR+'1'%3d'1+ . If your application responds with any results, or displays any database information, your are vulnerable.

Ask them to prove it! They should be able to show you data from any table in the database. They will not be able to show you any proof. I have pounded two of my servers with server testing tools that go through dozens of scenarios. The SQL injection attack fails with flying colors every time.

The only test that my IW applications have failed at any point are those using SSL vulnerabilities. Each time that has happened I download the latest OpenSSL libraries, recompile, and the threat is fixed.

2. If the IP is showing in the address bar, it probably means a domain has not been assigned to IP address. How are you accessing the application? If you are accessing it by IP address, that is what will display in the address bar. Use a domain to reach the application.
Craig Burke

Posts: 15
Registered: 4/28/07
Re: SQL injection vulnerabilities  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jul 26, 2016 5:48 PM   in response to: Daniel Fields in response to: Daniel Fields
Hello Daniel,

Thanks for the reply!

I believe the issue is valid. They where using Burp and did send me a document showing that they were able to access their SQL DB's (44) and able to query them. This app was written back when Intraweb first came out and it looks like I made the mistake of concatenating the user entered values and was not using parameterized queries. So I am fixing that now. Also thanks for the heads up on the sending parameters issue because the app does allow for them and can access a specific record from any allowed DB.

Thanks again,
Craig

Daniel Fields wrote:
1. I highly doubt that your application is vulnerable to a SQL injection attack. I have been told that a few times in the past only to find out that the test used was flawed. If you have a login screen to your application, it would be difficult for them to even perform the test. Because of IW structure many traditional tests cannot even be executed. There is no way for a testing to start a session on the server unless you have given them a way to do so.

A SQL injection means that an attacker can put raw SQL code into an edit a form, submit it, and then your application crashes to a SQL prompt, thereby allowing the attacker full access to the database. Another way this can be done is by passing parameters to your application.

If your application takes parameters like this: http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike, it could be attacked like this: +http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+(select+count(*)+from+fake)+%3e0+OR+'1'%3d'1+ . If your application responds with any results, or displays any database information, your are vulnerable.

Ask them to prove it! They should be able to show you data from any table in the database. They will not be able to show you any proof. I have pounded two of my servers with server testing tools that go through dozens of scenarios. The SQL injection attack fails with flying colors every time.

The only test that my IW applications have failed at any point are those using SSL vulnerabilities. Each time that has happened I download the latest OpenSSL libraries, recompile, and the threat is fixed.

2. If the IP is showing in the address bar, it probably means a domain has not been assigned to IP address. How are you accessing the application? If you are accessing it by IP address, that is what will display in the address bar. Use a domain to reach the application.
Daniel Fields

Posts: 619
Registered: 11/29/04
Re: SQL injection vulnerabilities  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jul 26, 2016 5:55 PM   in response to: Craig Burke in response to: Craig Burke
I'm glad it turned out to be a simple fix. I have been a little feisty lately, so my answer was a little aggressive. What matters is that you could resolve a serious problem.
Craig Burke

Posts: 15
Registered: 4/28/07
Re: SQL injection vulnerabilities  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jul 28, 2016 7:26 AM   in response to: Daniel Fields in response to: Daniel Fields
No problem!

Thanks Daniel.

Daniel Fields wrote:
I'm glad it turned out to be a simple fix. I have been a little feisty lately, so my answer was a little aggressive. What matters is that you could resolve a serious problem.
Alexandre Machado

Posts: 1,730
Registered: 8/10/13
Re: SQL injection vulnerabilities  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jul 26, 2016 12:09 AM   in response to: Craig Burke in response to: Craig Burke
I have a client that is using a web app (Stand Alone) designed using XE2 and Intraweb XII (12.2.31).
Their IT found that it is vulnerable to SQL injection. What do I need to do to fix this.

Please have in mind that the application is the one who is vulnerable, not the framework. There is no such thing as a SQL Injection vulnerable framework... On the other hand, there are SQL injection vulnerable applications, which make use of unsafe patterns, such as using SQL statements built from user provided data, without any sanity check.

Please read this introduction: https://en.wikipedia.org/wiki/SQL_injection

There are many examples of SQL injection there. All you have to do is to avoid it. In Delphi, these are the rules of thumb:

1) Always use parametrized queries (never concatenate user supplied strings to obtain a SQL statement!)
2) Never violate rule # 1
3) Use escape functions (e.g. Quote), and never do things like '"' + UserName + '"'

It also display their IP address in the address bar. How do I hide it?

IntraWeb does not show the IP address in the address bar, unless you start the application using it. It won't change the address like this. Are you behind a proxy/firewall server?
Craig Burke

Posts: 15
Registered: 4/28/07
Re: SQL injection vulnerabilities  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jul 26, 2016 5:58 PM   in response to: Alexandre Machado in response to: Alexandre Machado
Hello Alexandre,

Thanks for the reply!

This app was written back when Intraweb first came out and it looks like I made the mistake of concatenating the user entered values and was not using parameterized queries. So I am fixing that now.

I can only assume that their server has a firewall. I have been trying to get in touch with their IT to get more information. The initial setup was done many years ago and the folks that I assisted then are no longer around and nobody seems to know who on their side is responsible for maintaining the app.

I have always told the clients to use a domain, so....

Thanks again for a great product!
Craig

Alexandre Machado wrote:
I have a client that is using a web app (Stand Alone) designed using XE2 and Intraweb XII (12.2.31).
Their IT found that it is vulnerable to SQL injection. What do I need to do to fix this.

Please have in mind that the application is the one who is vulnerable, not the framework. There is no such thing as a SQL Injection vulnerable framework... On the other hand, there are SQL injection vulnerable applications, which make use of unsafe patterns, such as using SQL statements built from user provided data, without any sanity check.

Please read this introduction: https://en.wikipedia.org/wiki/SQL_injection

There are many examples of SQL injection there. All you have to do is to avoid it. In Delphi, these are the rules of thumb:

1) Always use parametrized queries (never concatenate user supplied strings to obtain a SQL statement!)
2) Never violate rule # 1
3) Use escape functions (e.g. Quote), and never do things like '"' + UserName + '"'

It also display their IP address in the address bar. How do I hide it?

IntraWeb does not show the IP address in the address bar, unless you start the application using it. It won't change the address like this. Are you behind a proxy/firewall server?
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02