False Positive SQLi

14 August 2011, 17:52

Hiawatha version:
Operating System: Linux


I'm getting false positive SQL injections when I attempt to upload an email attachment using zarafa email server
If I 'PreventSQLi = no' it's works fine, but I would like to keep PreventSQLi enabled if possible when I go live on the net.|Sun 14 Aug 2011 11:35:03 -0400|email/index.php|SQLi|load=dialog&task=attachments_modal&store=0000000038a1bb1005e5101aa1bb08002b2a56c200007a617261666136636c69656e742e646c6c0000000000d4473e7b54de4f898463f6ded31a4df601000000010000003e625a169d364433b424709212b8911570736575646f3a2f2f5a617261666100&entryid=&dialog_attachments=9837979f6192d6819fe3db90eb69c4f4|Sun 14 Aug 2011 11:44:07 -0400|email/index.php|SQLi|load=dialog&task=attachments_modal&store=0000000038a1bb1005e5101aa1bb08002b2a56c200007a617261666136636c69656e742e646c6c0000000000d4473e7b54de4f898463f6ded31a4df601000000010000003e625a169d364433b424709212b8911570736575646f3a2f2f5a617261666100&entryid=&dialog_attachments=9f0f72c5db77672fa22cfd7470ef2d13


Hugo Leisink
14 August 2011, 19:08
PreventSQLi is not an option to turn on by default. You should only use this option of you fully understand what it does and your webapplication is vulnerable for SQL injection and there is no oher way to fix it.

For what I know, Zarafa is safe and you should therefor not use this option.
14 August 2011, 20:11
You're right. Thanks for your answer.
This topic has been closed.