SQL injection - penetration test

SQL injection - penetration test

av Manar Alseddiqi -
Antall svar: 2
We had an external penetration test, and below are the findings on Moodle:


Results Under a specific environment SQL injection was executed.

Description When specific SQL requests were made, it reflected undefined response.


The userid parameter appears to be vulnerable to SQL injection attacks. The payloads 62586018' or 1623=1623-- and 

61015647' or 9130=9135-- were each submitted in the userid parameter. These two requests resulted in different responses, 

indicating that the input is being incorporated into a SQL query in an unsafe way. 


Could you please advice me on how to address this issue?




Gjennomsnittlig vurdering: -
Som svar til Manar Alseddiqi

Re: SQL injection - penetration test

av Michael Hawkins -
Bilde av Core developers Bilde av Moodle HQ Bilde av Particularly helpful Moodlers Bilde av Peer reviewers Bilde av Testers
Hi there,

It would be great if you could submit your findings via our Security Submission form, which will allow you to provide full details and we can then investigate further. Please do not post findings in this public forum if you think you have identified a vulnerability (even if the details are incomplete). See the Security Procedures and Responsible Disclosure Policy document for more information.

This sounds like it could be a false positive, but would still be worth sending through the proper form so we can verify.

Thanks!
Gjennomsnittlig vurdering: -