logo

NPDS
Responsive

NPDS REvolution 16.8
1 visiteur(s) et 0 membre(s) en ligne.
Mercredi 22 avril 2026 à 18:42:10
Plus de contenu

Index du forum »»  Sécurité »» search.php - time based sql injection

Modérateur(s)developpeurjpbJireck

Poster une réponse dans le sujet

A propos des messages publiés :
Les utilisateurs anonymes peuvent poster de nouveaux sujets et des réponses dans ce forum.

http https ftp sftp
Languages
Markup Php Css js SQL

Coller l'ID de votre vidéo entre les deux balises :
[video_yt]xxxx[/video_yt]
[video_vm]xxxx[/video_vm]
[video_dm]xxxx[/video_dm]

Youtube Vimeo Dailymotion
 

Aperçu des sujets :

developpeur developpeur
Posté : 25-01-2015 18:07
Ce post reprends en anglais le topic déjà discuté ici => http://www.npds.org/viewtopic.php?topic=26189&forum=12

La correction sera mise à disposition rapidement
developpeur developpeur
Posté : 25-01-2015 18:03
======================================

Reported By - Narendra Bhati

Email - bhati.contact@gmail.com

Security Analyst @ Suma Soft. Pvt. Ltd

======================================

It is a time based sql injection http request = which is taking a time to response which make me confirm that there is a sql injection

===============================================



File : search.php



The verification in search.php that a SQL query is able to execute the sql statement: 'benchmark' establish the potential vulnerability to a SQL injection.



It's brilliant and many thanks to Narendra Bhati (Security Analyst - IT Risk & Security Management Services chez Suma Soft) for this.



Correction:

- The first step to correct is to add the word 'benchmark' in url protect.php (modules/include).

=> add a line below the " delete ", instruction in the sql_injection section => " benchmark ", in order to disable the issue.



- The second step is made directly by the core of NPDS in the sanitation of the SQL flow.



Many thanks one more time to Narendra Bhati.