Old Forums
Search:
Portal Engine Questions on portal engine and web parts.
Version 5.x > Portal Engine > Blind SQL issues View modes: 
User avatar
Member
Member
gatsby0121 - 10/13/2011 3:38:32 AM
   
Blind SQL issues
We have a client for whom we have developed a website using Kentico.

They have since run a security check on the site, and it has come back with several blind sql attack vulnerabilities, particularly with the getfile.aspx page.

Blind SQL issues were triggered off of the Session and polling
cookies.

Has anyone heard of this, and has it been addressed anywhere?

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 10/13/2011 5:31:07 AM
   
RE:Blind SQL issues
Hi,

Could you be more specific where the issues were found and reported?
Which URLs, on which page?
What web parts are used on those pages?
What tool you have used to scan?
What is the exact version number of Kentico CMS you are using?

Is it possible to send us the complete report output from your security scan?

Best regards,
Juraj Ondrus

User avatar
Member
Member
gatsby0121 - 10/13/2011 5:33:17 AM
   
RE:Blind SQL issues
I can send the report to you, what email address should I use?

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 10/13/2011 5:37:15 AM
   
RE:Blind SQL issues
Hi,

You can use a form on our support pages on our web site or send it directly to our e-mail address. You can find the information here: http://www.kentico.com/Support

Best regards,
Juraj Ondrus

User avatar
Member
Member
gatsby0121 - 10/13/2011 10:59:46 AM
   
RE:Blind SQL issues
I've sent that information to the support team.

A side question though. All of my sql code uses the 



GeneralConnection cn = ConnectionHelper.GetConnection();

                DataSet ds = null;

                object[,] parameters = new object[1, 3];



                parameters[0, 0] = "@specialID";

                parameters[0, 1] = specialID;


                ds = cn.ExecuteQuery("Proc_checkSpecialD", parameters, CMS.IDataConnectionLibrary.QueryTypeEnum.StoredProcedure, false);




format, and my stored procedures do not use exec(). Providing that what I just said is accurate, does that mean that my code is safe from blind sql injections and sql injections?

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 10/15/2011 6:01:33 AM
   
RE:Blind SQL issues
Hi,

You are doing it the right way - this is how it should be done to prevent SQL injections.

Best regards,
Juraj Ondrus

Top