CGI Generic SQL Injection (blind, time based)

  • Resolved Ruben

    (@rubenecho)


    2 months, 3 weeks ago

    Hi,

    We have received a PCI scan of our website and there are 2 items – CGI Generic SQL Injection (blind, time-based) and CGI Generic Local File Inclusion that made our report fail with a bit negative impact on us.

    After looking into the report we found that this plugin is the caused of the vulnerabilities.
    This is one of the flagged examples :

    Using the POST HTTP method, SecurityMetrics found that : + The
    following resources may be vulnerable to local file inclusion : + The
    'dgwt_wcas' parameter of the / CGI : / [dgwt_wcas=/%00.html] --------
    output --------'home-banner') ); ?>

    If this something that you guys can address and this could affect more people

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support Kris

    (@c0nst)

    Hi @rubenecho,

    Thanks for letting us know about this.

    After initial analysis, this is a false positive because the dgwt_wcas parameter is not processed anywhere in the code. FiboSearch only checks if the parameter exists to determine the page related to search results.

    To potentially fix the issue, could you share more details about what the report found and how it came to those conclusions? This will help us get a better handle on the vulnerabilities and take the right steps to resolve them.

    If any of the details are confidential or sensitive, please don’t publish them.

    Regards,
    Kris

    Thread Starter Ruben

    (@rubenecho)

    Hi Kris

    The information that comes in the report is sensitive so I can share it here. We made some changes server level and we are compliant again so everything is sorted.

    Thank you for the help that I know you were going to give if needed

    Ruben

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.