+1-888-365-2779
Try Now
More in this section

Forums / Security / SQL Injection Attack

SQL Injection Attack

4 posts, 0 answered
  1. Jacques
    Jacques avatar
    427 posts
    Registered:
    28 Jun 2007
    09 Jul 2009
    Link to this post
    During testing our Sitefinity implementation showed vulnerability to SQL Injection attacks and Blind SQL Injection attacks.

    Sitefinity: 3.6
    Oracle 10g

    1. Does Sitefinity use stored procedures to perform authentication?
    2. Does Sitefinity check for hazardous user input like script tags etc.?
    3. Does the CMS part of the system use both client and server side validation to ensure correct input is provided?

    Regards,
    Jacques
  2. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    09 Jul 2009
    Link to this post
    Hello J.Hov,

    First, before I mention anything else, I want to assure you that SQL Injection attacks are not possible with Sitefinity. Every database query executed is constructed by our Object-Relational mapper and we don't insert user-inputted data into the queries. We are using stored procedures for every API method, so I am not sure how you can change the query. It's important to tell you that if you have any custom functionality, you should be prepared to filter your data before you construct the queries, but this is not the case when you use the ORM. Now to answer your questions:

    1. Does Sitefinity use stored procedures to perform authentication? 
    Yes. We extract the user's details with stored procedures.

    2. Does Sitefinity check for hazardous user input like script tags etc.? 
    This is an Asp.Net feature - Event Validation, and it is enabled by default for all pages, user controls and modules. 

    3. Does the CMS part of the system use both client and server side validation to ensure correct input is provided? 
    Yes.

    Could you please open a new support tickets with the details on this case? We are very interested in it, and what to find out the reasons for your concerns. 

    Kind regards,
    Georgi
    the Telerik team

    Instantly find answers to your questions on the newTelerik Support Portal.
    Check out the tipsfor optimizing your support resource searches.
  3. Jacques
    Jacques avatar
    427 posts
    Registered:
    28 Jun 2007
    09 Jul 2009
    Link to this post
    2. Does Sitefinity check for hazardous user input like script tags etc.? 
    This is an Asp.Net feature - Event Validation, and it is enabled by default for all pages, user controls and modules.

    In the web.config there's no reference to eventValidation in the pages node where I would expect it to be. I've checked across three different installations of Sitefinity and none of the web.config files have this attribute set. How is it enabled by default as you say if not by the web.config file? Or is this something Sitefinity is producing for each page?

    Regards,
    Jacques
  4. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    09 Jul 2009
    Link to this post
    Hello J.Hov,

    Thank you for your question.

    It is enabled internally. There are many properties that are not defined in the .config files, but they are surely initialized with a default value. In this case, the default value of enableEventValidation is True. You can run a simple test though, just try to submit a custom form having html in one of the fields, and check the result.

    Kind regards,
    Georgi
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
Register for webinar
4 posts, 0 answered