SQL injection - penetration test

SQL injection - penetration test

дэргэд Manar Alseddiqi -
Хариу нийтлэлийн тоо: 2
We had an external penetration test, and below are the findings on Moodle:


Results Under a specific environment SQL injection was executed.

Description When specific SQL requests were made, it reflected undefined response.


The userid parameter appears to be vulnerable to SQL injection attacks. The payloads 62586018' or 1623=1623-- and 

61015647' or 9130=9135-- were each submitted in the userid parameter. These two requests resulted in different responses, 

indicating that the input is being incorporated into a SQL query in an unsafe way. 


Could you please advice me on how to address this issue?




Үнэлгээний дундаж: -
Manar Alseddiqi-н хариуд

Re: SQL injection - penetration test

дэргэд Michael Hawkins -
Core developers зураг Moodle HQ зураг Particularly helpful Moodlers зураг Peer reviewers зураг Testers зураг
Hi there,

It would be great if you could submit your findings via our Security Submission form, which will allow you to provide full details and we can then investigate further. Please do not post findings in this public forum if you think you have identified a vulnerability (even if the details are incomplete). See the Security Procedures and Responsible Disclosure Policy document for more information.

This sounds like it could be a false positive, but would still be worth sending through the proper form so we can verify.

Thanks!
Үнэлгээний дундаж: -