Printed: 14 Jan, 2024

Grouped By: Vulnerability Type 2

Scan Report
Scanned Branch Name: EylamCX-patch-390 4
DevTenantQAOrg/DevQA 0
Project Created: 14 Jan, 2024 | 8:08 AM
PrivateSCA Last Scanned: 14 Jan, 2024 | 8:12 AM 0

Table of Contents

Filtered By 2

Scan Information 2

Project & Scan Tags 2

Scan Results Overview 3

By Density / Grade 3

By Status 3

By Severity 3

By State 3

By Language 3

By Vulnerability 3

Top 10 Vulnerabilities 4

Top 10 Vulnerable Files 4

5 Oldest Vulnerabilities 4

Scan Results 5

SQL_Injection 5

Privacy_Violation 7

Parameter_Tampering 9

Hardcoded_password_in_Connection_String 10

Resolved Vulnerabilities 11

Categories 12

ASD STIG 4.10 12

FISMA 2014 12
NIST SP 800-53 12

OWASP Top 10 2013 12

OWASP Top 10 2017 13

OWASP Top 10 2021 13

PCI DSS v3.2.1 13

Vulnerability Details 14

SQL_Injection 14

Privacy_Violation 14

Parameter_Tampering 14

Hardcoded_password_in_Connection_String 15
Filtered By

Severity:
Excluded: None
Result State: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed, Urgent
Excluded: None
Status: New, Recurrent, Resolved
Excluded: None
Queries: Link

Results limited to: 10000

Scan Information

Scan Id: f17abcb6-8b74-4ca6-98ab-49283838c9b7 Source Origin: github

Scan Duration: 0h 2m 22s Branch: EylamCX-patch-390

Preset: ASA Premium Scan Type: Full Scan
LOC Scanned: 95 Scanned Branch Name: EylamCX-patch-390
Files Scanned: 8 Groups: None

Density: 63.16 (Vulnerabilities / LOC)

Initiator: EylamCX
Online Results: Link

Project & Scan Tags

Project Tags:

None

Scan Tags:

None

Page 2 of 15
Scan Results Overview

By Density / Grade By Status

Vulnerabilities (6) New (0, 0%)

Code Lines (95) Recurrent (6, 100%)

By Severity

Legend Density

Critical (0, 0.00%) 0.00

High (2, 33.33%) 21.05

Medium (4, 66.67%) 42.11

Low (0, 0.00%) 0.00

Information (0, 0.00%) 0.00

By State

Legend Density

To Verify (5, 83.33%) 52.63

Not Exploitable (1, 16.67%) 10.53

Proposed Not Exploitable (0, 0.00%) 0.00

Confirmed (0, 0.00%) 0.00

Urgent (0, 0.00%) 0.00

By Language

Density

vb6 (6) 0 2 4 0 0 63.16

By Vulnerability

Vulnerability Type

Page 3 of 15
 SQL_Injection
0 2 0 0 0
In 1 Files

Privacy_Violation
0 0 2 0 0
In 1 Files

Parameter_Tampering
0 0 1 0 0
In 1 Files

Hardcoded_password_in_Connection
_String 0 0 1 0 0
In 1 Files

Total
0 2 4 0 0
In 1 Files

Top 10 Vulnerabilities (6/1 Vulnerable files)

1. SQL_Injection 0 2 0 0 0

2. Privacy_Violation 0 0 2 0 0

3. Parameter_Tampering 0 0 1 0 0

4. Hardcoded_password_in_Connec 0 0 1 0 0
tion_String

Top 10 Vulnerable Files (1/8 Files)

1. /encode.frm 0 2 4 0 0

5 Oldest Vulnerabilities by severity

No data to show for Critical severity

1. SQL_Injection 576 days

1. Hardcoded_p
assword_in_Con 576 days
nection_String

2. Parameter_Ta
576 days
mpering

3. Privacy_Violati
576 days
on

No data to show for Low severity

No data to show for Information severity

Page 4 of 15
Scan results (6)

SQL_Injection (Type)

Query Path: VB6/VB6_High_Risk/SQL_Injection

CWE Id: 89

Total results: 2
Description: The application's @DestinationMethod method executes an SQL query with @DestinationElement, at line @DestinationLine of
@DestinationFile. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization.
The concatenated string is submitted to the database, where it is parsed and executed accordingly. An attacker would be able to inject
arbitrary syntax and data into the SQL query, by crafting a malicious payload and providing it via the input @SourceElement; this input is
then read by the @SourceMethod method at line @SourceLine of @SourceFile. This input then flows through the code, into a query and to
the database server - without sanitization. This may enable an SQL Injection attack.
Category:
ASD STIG 4.10: APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection.

FISMA 2014: System And Information Integrity

OWASP Top 10 2017: A1-Injection
OWASP Top 10 2021: A3-Injection

SANS top 25: SANS top 25

NIST SP 800-53: SI-10 Information Input Validation (P1)
OWASP ASVS: V05 Validation, Sanitization and Encoding
CWE top 25: CWE top 25
OWASP Top 10 2013: A1-Injection

PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data

Result 1 of 2
High Link Recurrent To Verify Similarity Id: -1686050849 Found First: 14 Jan, 2024 Found Last: 14 Jan, 2024
First Scan ID: 427b4005-31c6-4948-be8a-dc24c885bdd9

Source Destination

File Name: /encode.frm File Name: /encode.frm

Method: cmdunsafe_click Method: cmdunsafe_click

Element: text Element: openrecordset

Code Snippets

42 password = txtPassword.Text

52 Set rs = m_DB.OpenRecordset(query, dbOpenSnapshot)

Page 5 of 15
Result 2 of 2
High Link Recurrent Not Exploitable Similarity Id: 1293969900 Found First: 14 Jan, 2024 Found Last: 14 Jan, 2024
First Scan ID: 427b4005-31c6-4948-be8a-dc24c885bdd9

Source Destination

File Name: /encode.frm File Name: /encode.frm

Method: cmdunsafe_click Method: cmdunsafe_click

Element: text Element: openrecordset

Code Snippets

41 user_name = txtUserName.Text

52 Set rs = m_DB.OpenRecordset(query, dbOpenSnapshot)

Page 6 of 15
Privacy_Violation (Type)

Query Path: VB6/VB6_Medium_Threat/Privacy_Violation

CWE Id: 359

Total results: 2
Description: Method @SourceMethod at line @SourceLine of @SourceFile sends user information outside the application. This may
constitute a Privacy Violation.
Category:

OWASP Top 10 2017: A3-Sensitive Data Exposure

OWASP Top 10 2013: A6-Sensitive Data Exposure

MOIS(KISA) Secure Coding 2021: MOIS(KISA) Security Functions

OWASP ASVS: V10 Malicious Code

ASD STIG 4.10: APSC-DV-002330 - CAT II The application must protect the confidentiality and integrity of stored information when
required by DoD policy or the information owner.

FISMA 2014: Identification And Authentication

OWASP Top 10 2021: A1-Broken Access Control

SANS top 25: SANS top 25

CWE top 25: CWE top 25

NIST SP 800-53: SC-4 Information in Shared Resources (P1)

Result 1 of 2
Medium Link Recurrent To Verify Similarity Id: 1551899440 Found First: 14 Jan, 2024 Found Last: 14 Jan, 2024
First Scan ID: 427b4005-31c6-4948-be8a-dc24c885bdd9

Source Destination

File Name: /encode.frm File Name: /encode.frm

Method: cmdunsafe_click Method: cmdunsafe_click

Element: password Element: text

Code Snippets

42 password = txtPassword.Text

48 txtQuery.Text = query

Page 7 of 15
Result 2 of 2
Medium Link Recurrent To Verify Similarity Id: -762430504 Found First: 14 Jan, 2024 Found Last: 14 Jan, 2024
First Scan ID: 427b4005-31c6-4948-be8a-dc24c885bdd9

Source Destination

File Name: /encode.frm File Name: /encode.frm

Method: cmdsafe_click Method: cmdsafe_click

Element: password Element: text

Code Snippets

11 password = Replace$(txtPassword.Text, "'", "''")

17 txtQuery.Text = query

Page 8 of 15
Parameter_Tampering (Type)

Query Path: VB6/VB6_Medium_Threat/Parameter_Tampering

CWE Id: 472

Total results: 1

Description: Method @SourceMethod at line @SourceLine of @SourceFile gets user input from element @SourceElement. This input is later
concatenated by the application directly into a string variable containing SQL commands, without being validated. This string is then used
in method @DestinationMethod to query the database @DestinationElement, at line @DestinationLine of @DestinationFile, without any
additional filtering by the database. This could allow the user to tamper with the filter parameter.

Category:

ASD STIG 4.10: APSC-DV-002560 - CAT I The application must not be subject to input handling vulnerabilities.

MOIS(KISA) Secure Coding 2021: MOIS(KISA) Security Functions

OWASP ASVS: V01 Architecture, Design and Threat Modeling

OWASP Top 10 2013: A4-Insecure Direct Object References

OWASP Top 10 2017: A5-Broken Access Control

OWASP Top 10 2021: A4-Insecure Design

Result 1 of 1
Medium Link Recurrent To Verify Similarity Id: 1433408755 Found First: 14 Jan, 2024 Found Last: 14 Jan, 2024
First Scan ID: 427b4005-31c6-4948-be8a-dc24c885bdd9

Source Destination

File Name: /encode.frm File Name: /encode.frm

Method: CxMethod_Vb6_encode_d95407b7 Method: CxMethod_Vb6_encode_d95407b7

Element: text Element: open

Code Snippets

65 p = txtP.Text

82 rs.Open cmd, , adOpenStatic, adLockOptimistic

Page 9 of 15
Hardcoded_password_in_Connection_String (Type)

Query Path: VB6/VB6_Medium_Threat/Hardcoded_password_in_Connection_String

CWE Id: 547

Total results: 1

Description: The application contains hardcoded connection details, @SourceElement, at line @SourceLine of @SourceFile. This connection
string contains a hardcoded password, which is used in @DestinationMethod at line @DestinationLine of @DestinationFile to connect to a
database server with @DestinationElement. This can expose the database password, and impede proper password management.

Category:

OWASP Top 10 2021: A5-Security Misconfiguration

ASD STIG 4.10: APSC-DV-003110 - CAT I The application must not contain embedded authentication data.

OWASP Top 10 2013: A2-Broken Authentication and Session Management

OWASP Top 10 2017: A2-Broken Authentication

Result 1 of 1
Medium Link Recurrent To Verify Similarity Id: 1095279650 Found First: 14 Jan, 2024 Found Last: 14 Jan, 2024
First Scan ID: 427b4005-31c6-4948-be8a-dc24c885bdd9

Source Destination

File Name: /encode.frm File Name: /encode.frm

Method: CxMethod_Vb6_encode_d95407b7 Method: CxMethod_Vb6_encode_d95407b7

Element: ""connection string"" Element: open

Code Snippets

67 conn.Open "connection string"

Page 10 of 15
Resolved Vulnerabilities (0)

No data to show

Page 11 of 15
Categories

ASD STIG 4.10

Category

APSC-DV-002330 - CAT II The application must protect the confidentiality

and integrity of stored information when required by DoD policy or the 0 0 2 0 0
information owner.

APSC-DV-002560 - CAT I The application must not be subject to input

0 0 1 0 0
handling vulnerabilities.

APSC-DV-003110 - CAT I The application must not contain embedded

0 0 1 0 0
authentication data.

APSC-DV-002540 - CAT I The application must not be vulnerable to SQL

0 2 0 0 0
Injection.

FISMA 2014

Category

System And Information Integrity 0 2 0 0 0

Identification And Authentication 0 0 2 0 0

NIST SP 800-53

Category

SC-4 Information in Shared Resources (P1) 0 0 2 0 0

SI-10 Information Input Validation (P1) 0 2 0 0 0

OWASP Top 10 2013

Category

A4-Insecure Direct Object References 0 0 1 0 0

A2-Broken Authentication and Session Management 0 0 1 0 0

Page 12 of 15
A1-Injection 0 2 0 0 0

A6-Sensitive Data Exposure 0 0 2 0 0

OWASP Top 10 2017

Category

A2-Broken Authentication 0 0 1 0 0

A1-Injection 0 2 0 0 0

A3-Sensitive Data Exposure 0 0 2 0 0

A5-Broken Access Control 0 0 1 0 0

OWASP Top 10 2021

Category

A1-Broken Access Control 0 0 2 0 0

A4-Insecure Design 0 0 1 0 0

A5-Security Misconfiguration 0 0 1 0 0

A3-Injection 0 2 0 0 0

PCI DSS v3.2.1

Category

PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection 0 2 0 0 0

Page 13 of 15
Vulnerability Details

SQL_Injection (CWE 89)

What Is The Risk

An attacker could directly access all of the system's data. The attacker would likely be able to steal any sensitive information stored by the
system, including private user information, credit card details, proprietary business data, and any other secret data. Likewise, the attacker
could possibly modify or erase existing data, or even add new bogus data. In some scenarios, it may even be possible to execute code on
the database. In addition to disclosing or altering confidential information directly, this vulnerability might also be used to achieve
secondary effects, such as bypassing authentication, subverting security checks, or forging a data trail. Further increasing the likelihood of
exploit is the fact that this flaw is easy for attackers to find, and easy to exploit.

What Can Cause It

The application stores and manages data in a database, by submitting a textual SQL query to the database engine for processing. The
application creates the query by simple string concatenation, embedding untrusted data. However, there is no separation between data and
code; furthermore, the embedded data is neither checked for data type validity nor subsequently sanitized. Thus, the untrusted data could
contain SQL commands, or modify the intended query. The database would interpret the altered query and commands as if they originated
from the application, and execute them accordingly. Note that an attacker can exploit this vulnerability either by modifying the URL, or by
submitting malicious data in the user input or other request fields.

General Recommendations

* Validate all untrusted data, regardless of source. Validation should be based on a whitelist: accept only data fitting a specified structure, r
ather than reject bad patterns.
* In particular, check for:
* Data type
* Size
* Range
* Format
* Expected values.
* Restrict access to database objects and functionality, according to the Principle of Least Privilege.
* Do not use dynamically concatenate strings to construct SQL queries.
* Prefer using DB Stored Procedures for all data access, instead of ad-hoc dynamic queries.
* Instead of unsafe string concatenation, use secure database components such as parameterized queries and object bindings (for e
xample, commands and parameters).
* Alternatively, an even better solution is to use an ORM library, in order to pre-define and encapsulate the allowed commands enabl
ed for the application, instead of dynamically accessing the database directly. In this way the code plane and data plane should be isolated
from each other.
* Prefer using ADODB `Command` and `Parameter` objects with the `Command`'s `CommandType` property set to `adCmdStored
Proc`, to safely call a database Stored Procedure instead of dynamically executing a SQL string directly. Provide the parameters to the SP u
sing `Parameter` objects, using the `Command`'s `CreateParameter` and `Parameters.Append` methods.

Privacy_Violation (CWE 359)

What Is The Risk

A user’s personal information could be stolen by a malicious programmer, or an attacker that intercepts the data.

What Can Cause It

The application sends user information, such as passwords, account information, or credit card numbers, outside the application, such as
writing it to a local text or log file or sending it to an external web service.

General Recommendations

1. Personal data should be removed before writing to logs or other files.

2. Review the need and justification of sending personal data to remote web services.

Parameter_Tampering (CWE 472)

What Is The Risk

A malicious user could access other users’ information. By requesting information directly, such as by an account number, authorization may
be bypassed and the attacker could steal confidential or restricted information (for example, a bank account balance), using a direct object
reference.

What Can Cause It

The application provides user information without filtering by user ID. For example, it may provide information solely by a submitted
account ID. The application concatenates the user input directly into the SQL query string, without any additional filtering. The application
also does not perform any validation on the input, nor constrain it to a pre-computed list of acceptable values.

Page 14 of 15
General Recommendations

Generic Guidance:
* Enforce authorization checks before providing any access to sensitive data, including the specific object reference.
* Explicitly block access to any unauthorized data, especially to other users’ data.
* If possible, avoid allowing the user to request arbitrary data by simply sending a record ID. For example, instead of having the use
r send an account ID, the application should look up the account ID for the current authenticated user session.

Specific Mitigation:
* Do not concatenate user input directly into SQL queries.
* Include a user-specific identifier as a filter in the WHERE clause of the SQL query.
* Map the user input to an indirect reference, e.g. via a prepared list of allowable values.

Hardcoded_password_in_Connection_String (CWE 547)

What Is The Risk

Hardcoded database passwords expose the application to password leakage, and the database to unauthorized access. If an attacker gains
access to the source code (or can decompile the application binaries), the attacker will be able to steal the embedded passwords, and use
them to directly access the database. This would enable the attacker to steal secret information, modify sensitive records, or delete
important data. In addition, the password cannot be easily changed when required. In the eventual situation wherein it is a necessity to
update the password, a new version of the application would need to be built and deployed to production systems.

What Can Cause It

The application has the database password hardcoded in the source code files, and uses this password in a connection string to the
database or other server. This password is visible to anyone with access to source code, and cannot be changed without rebuilding or
recompiling the application. Even after compilation or deployment, the password and connection string are still present in the binary
program files or production environment.

General Recommendations

- Never hardcode sensitive data, such as database passwords.

- Prefer to avoid requiring an explicit database password at all, instead using OS-integrated system authentication.
- Alternatively, store the password in an encrypted configuration file, and implement a mechanism enabling administrators to change
the password. Ensure the file permissions are configured to restrict access to administrators only.
- In particular, if the database supports Integrated Windows Authentication, prefer to use a Windows user over SQL user.
- Configure the connection string with "`Integrated Security=SSPI;`" (or "`Yes`").
- Alternatively, provide the connection string from an external container, e.g. using COM+ ConstructorStrings.
- If the application is required to explicitly define the database credentials, these should be stored in an encrypted configuration file,
separate from the source code.

Page 15 of 15