Forum Discussion

Sergio_Magra's avatar
Sergio_Magra
Icon for Nimbostratus rankNimbostratus
Feb 19, 2013

Filename is seeing as parameter and applied a SQL Injection signature

Hi, the ASM (9.4.4) have a false positive by detecting the filenames as parameter and applying the following SQL injection signature:

 

False Positive: SQL-INJ "--" (SQL comment) (Parameter)

 

 

Please see the example below:

 

 

 

POST /app/send.asp?X=6066919 HTTP/1.1

 

Content-Length: 7374

 

Accept: */*

 

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

 

Host: www.site.com.ar

 

Connection: Keep-Alive

 

Cookie: ASPSESSIONIDCSDQQDSB=BEDCIDEDOJKBLNGBAIIOAFNA; TSea8a3d=7c60168503bfcf24ce0c31dd15b7ce389035dffc2e4c5e3850feedb0226eee961c71a653

 

X-Forwarded-For: 16.19.1.21

 

 

-----------------------------7d117c2c490276

 

Content-Disposition: form-data; name="file1"; filename="C:\sending\TEMP\b00007_20130122.rta"

 

Content-Type: text/plain

 

 

22/01/2013@00007@0000000001@0001637111@03@00253400816631@1099,00@22/01/2013@S@80@20930251098@@@@

 

22/01/2013@00007@0000000001@0002605873@03@00225400140366@0,02@22/01/2013@S@80@20100373964@@@@

 

22/01/2013@00007@0000000001@0002938678@03@00064400561979@26,91@22/01/2013@S@80@27201659596@@@@

 

22/01/2013@00007@0000000001@0003028006@03@00250400918981@919,60@22/01/2013@S@80@20214789176@@@@

 

 

 

How to avoid this?

 

Thanks and Best regards

 

 

 

3 Replies

  • Thanks for the answer.

     

     

    But, if it is not a parameter, I will need to disable the signature globally?

     

    On the other hand, could it have relationship with defining the parameter as binary in order to avoid being scanned?

     

     

     

    Thanks and Best regards

     

  • Hi,

     

     

    why contains the parameter filename the complete path? It should only contain the name.

     

    How is the detailed violation?

     

    Shouldn't be 'file1' the binary?

     

     

    Yes, you can set filename as parameter, to disable signature scanning. Then, only some base signatures are scanned.

     

    But you cannot disable the complete signature scanning for a single parameter.