Blind SQL Injection in PostgreSQL

Mulyawan Sentosa

• May 27, 2017 22:26

Hello, I'm checking my web security by detectify.com, I found the severe issue found in cPanel. It's found at http://mydomain:2082/unprotected/loader.html. it said that there is Vulnerable GET variable goto_uri on that file, and An attacker can execute SQL code, which includes reading/writing to the database and possibly writing directly to the file system. Please help how to solve this? Thank you.

• 

  rpvw

  • May 28, 2017 06:46

  I think you will need to switch the Home " Server Configuration " Tweak Settings ; Security > Require SSL for cPanel Services to ON and you may also want to switch Redirection > Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as "Always redirect to SSL/TLS" to ON as well

  0
• 

  cPanelMichael

  • May 29, 2017 12:50

  Hello, Could you open a support ticket using the link in my signature so we can take a closer look at that report and verify whether it's a false positive? You can post the ticket number here and we will update this thread with the outcome. Thank you.

  0
• 

  cPanelKenneth

  • May 30, 2017 12:56

  detectify is likely mistaking the loader.html file for something in a completely different application.

  0

Please sign in to leave a comment.