McAfee Secure

[Vit]

Hallo Leute,

Jemand benutzt McAfee Secure?

Ich habe begonnen, McAfee Secure zu benutzen, und sofort fing an, viele Benachrichtigungen von der Sicherheitslücke zu bekommen.

Zum Beispiel:

The issue that is being detected on the website which is causing the McAfee Secure certification not to display is the 'MySQL Database Error Disclosure'. This shows up in the vulnerabilities section as a level 4 issue. Our scanner is finding this due to the following directory /create_account.php.

The values on this form are not filtered. Our scanner submits invalid data to the fields and the website submits the invalid request to the database instead of filtering it out. This causes the MySQL error that is being captured. To resolve this the website code needs to be modified to check this form for proper values being submitted before submitting the query to your database.

The single best way to fix this vulnerability is to identity the acceptable input for each form parameter and reject input that does not meet that criteria.

The following is an acceptable solution however it is not optimal.

Implement content parsing on data input fields including URL parameters.

Remove the following characters from any user or dynamic database input: (examples in VBScript)

 

' (escape the single quote) input = replace( input, "'", "''" ) 

" (double quote) input = replace( input, """", "" ) 

) (close parenthesis) input = replace( input, ")", "" ) 

( (open parenthesis) input = replace( input, "(", "" ) 

; (semi-colon) input = replace( input, ";", "" ) 

- (dash) input = replace( input, "-", "" ) 

| (pipe) input = replace( input, "|", "" )

On text input it is recommended to append quotes around the user supplied input.

Jemand stieß auf solches Problem zusammen? Es droht der Sicherheit wirklich? Wenn ja, gibt es die Lösung? Wo man es gutmachen muss?

Danke im Voraus,

Vit