False Positive SQLi
Andre
14 August 2011, 17:52
Hiawatha version:
Operating System: Linux
Hi,
I'm getting false positive SQL injections when I attempt to upload an email attachment using zarafa email server http://www.zarafa.com.
If I 'PreventSQLi = no' it's works fine, but I would like to keep PreventSQLi enabled if possible when I go live on the net.
10.30.0.10|Sun 14 Aug 2011 11:35:03 -0400|email/index.php|SQLi|load=dialog&task=attachments_modal&store=0000000038a1bb1005e5101aa1bb08002b2a56c200007a617261666136636c69656e742e646c6c0000000000d4473e7b54de4f898463f6ded31a4df601000000010000003e625a169d364433b424709212b8911570736575646f3a2f2f5a617261666100&entryid=&dialog_attachments=9837979f6192d6819fe3db90eb69c4f4
10.30.0.10|Sun 14 Aug 2011 11:44:07 -0400|email/index.php|SQLi|load=dialog&task=attachments_modal&store=0000000038a1bb1005e5101aa1bb08002b2a56c200007a617261666136636c69656e742e646c6c0000000000d4473e7b54de4f898463f6ded31a4df601000000010000003e625a169d364433b424709212b8911570736575646f3a2f2f5a617261666100&entryid=&dialog_attachments=9f0f72c5db77672fa22cfd7470ef2d13
Thanks,
Andre
Hugo Leisink
14 August 2011, 19:08
PreventSQLi is not an option to turn on by default. You should only use this option of you fully understand what it does and your webapplication is vulnerable for SQL injection and there is no oher way to fix it.
For what I know, Zarafa is safe and you should therefor not use this option.
Andre
14 August 2011, 20:11
You're right. Thanks for your answer.
This topic has been closed.