Login

captain-sensible · 11-02-2021, 03:57 AM

I have a web site i'm working on set up in Apache local host, with virtual host etc so that the url to serve the landing page is:127.0.0.2

now there is a useful program from owasp called zap. You can use that program to attack webs even on local host, to see what issues are brought up.

now I got this output:

Code:
SQL Injection

http://127.0.0.2/displayGallery?page=1+AND+1%3D1+--+

The page results were successfully manipulated using the boolean conditions [1 AND 1=1 -- ] and [1 AND 1=2 -- ]

The parameter value being modified was stripped from the HTML output for the purposes of the comparison

Data was returned for the original parameter.

The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter

The url its quoting involves /displayGallery
The route I set up is :

Code:
$routes->get('displayGallery','Gallery::displayGallery');

So the class that is evoked is Gallery and the class method is displayGallery
The relevant section of that controller class is:

Code:
$handle = new GalleryModel(); 

$data = [

 'title'=>'paginate',

 'result' => $handle->paginate(5),

 'pager' => $handle->pager,

 'date'=>$this->myDate

 ];

echo view('displayGallery',$data);

and the section of GalleryModel is:

Code:
class GalleryModel extends Model 

{

protected $table      = 'gallery';

protected $primaryKey = 'Id';

protected $allowedFields = ['image','imageTitle','slug'];

protected $limit;

protected $offset;

protected $Id;

protected $imageTitle;

protected $slug;

protected $category;

protected $info;

protected $db;

So in summary i'm think i'm following reasonable coding in that I use CI4 model and what it provides to paginate results. The pagination by the way works perfectly.
Now I always thought that SQL injection was a problem , where there was an input field and that whats entered would find its way to a database. Now i think i also read. Probably its a good idea to avoid GET requests as much as possible since , it involves a url , and somebody can play with that.

My overall thinking is that since the pagination simply retrieves data and there is no input field , this is a false posative. I thought it prudent to find out what other people think ?

ps 11.01 am Uk time :

Code:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.



Please contact the server administrator at [email protected] to inform them of the time this error occurred, and the actions you performed just before this error.



More information about this error may be available in the server error log.



Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

CMS CI4 A CMS system, runs out of the box written on top of CI4

Arch Book CodeIgniter4 on Apache(pages 92-114)

CI4-CMS Github