When an invalid string is added to my address it discloses the sql error on screen. It needs to be corrected to show some sort of generic error message so the error does not risk leak of information which could result in a hack.
This from McAfee Secure, the scanning software that I use on my site who made me aware of the issue:
During our analysis of your web application, we were able to intentionally generate database specific errors. By causing a system to output errors such as these, it is often possible to determine the database version and inject database command syntax that would allow us to extract data.
The information gathered from the specific error responses generated using various input validation techniques by the web application scanner has determined the remote host may be running a MySQL database.
The extent of the damage that can be caused by this vulnerability varies greatly depending on environment and configuration. While input validation via webapp may cause a database to generate an error, the database configuration will also play an important role in determining how much it can be altered. A remote attacker may be able to gain access to very sensitive information, or gain administrative access.
Site is oscommerce and mysql database.
6 freelanceria on tarjonnut keskimäärin 35 $ tähän työhön
I have already worked oscommerce projects, I would be glad to work on this issue too. I have experience of 3 years as PHP Programmer. Currently working as Senior Programmer.