[ic] SQL Injection?
Jon Jensen
jon at endpoint.com
Fri Sep 19 16:36:20 UTC 2014
On Fri, 19 Sep 2014, Bob Puff wrote:
> Looks like I may have another issue. Again, the reference: CentOS 6,
> Perl 5.10.1 (non-threaded), IC 5.8.2. Just ran a PCI scan from
> controlscan.com, and they came back with a mess of SQL Injection vulns.
Thanks for the report, Bob. Most of us running production ecommerce sites
on Interchange created them some years ago and their template and page
code has diverged significantly from the standard demo, so our fixes for
past SQL injections may not have applied to the standard demo.
We welcome any patches you can contribute to fix such problems in the
demo!
It is typically easy to fix in ITL code by using:
[filter op=sql interpolate=1]...[/filter]
or
[PREFIX-filter sql]...[/filter]
around the SQL, or the js filter in JavaScript code or the entities filter
for plain HTML text.
Thanks,
Jon
--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
More information about the interchange-users
mailing list