Search Results

Follow the steps below to remediate this finding on Joomla. Use the Joomla Database API to build parameterised queries:$db = JFactory::getDbo(); $query = $db->getQuery(true) ->select('*') ->from($db->quoteName('users')) ->where($db->quoteName('id') . ' = ' . $...

Follow the steps below to remediate this finding on Drupal. Use Drupal's database abstraction layer for all queries:$results = \Drupal::database()->select('users', 'u') ->fields('u') ->condition('uid', $uid, '=') ->execute() ->fetchAll();For complex queries, u...

Follow the steps below to remediate this finding on Generic / Developer guidance. MySQL-specific SQL injection exploits MySQL syntax and functions.Remediation:Use PDO or MySQLi with prepared statements — never string-concatenate user input into queries.Disable...

Follow the steps below to remediate this finding on WordPress. Use $wpdb->prepare() for all custom MySQL queries:$results = $wpdb->get_results( $wpdb->prepare('SELECT * FROM wp_users WHERE user_login = %s', $username) );Ensure the WordPress database user only ...

Follow the steps below to remediate this finding on Joomla. Use the Joomla Database API with $db->quote() for all MySQL queries.Ensure the Joomla database user has only the necessary MySQL privileges.Enable Joomla's SQL debug log in development to detect unpar...

Follow the steps below to remediate this finding on Drupal. Use Drupal's database abstraction layer, which automatically escapes and parameterises MySQL queries.Review any custom modules using db_query() with raw string interpolation and replace with the query...

Follow the steps below to remediate this finding on Linux (Debian/Ubuntu). Edit /etc/ssh/sshd_config and restrict the Ciphers directive to exclude CBC mode ciphers:Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-...

Follow the steps below to remediate this finding on Linux (RHEL/CentOS/AlmaLinux). Edit /etc/ssh/sshd_config and restrict the Ciphers directive:Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com...

Follow the steps below to remediate this finding on Windows. For Win32-OpenSSH, edit C:\ProgramData\ssh\sshd_config (or %PROGRAMDATA%\ssh\sshd_config).Add or update the Ciphers directive to exclude CBC ciphers:Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gc...

Follow the steps below to remediate this finding on Linux (Debian/Ubuntu). The Terrapin attack requires both ChaCha20-Poly1305 or CBC with Encrypt-then-MAC AND the use of prefix truncation during handshake.The primary fix is to update OpenSSH to a version that...

Follow the steps below to remediate this finding on Linux (RHEL/CentOS/AlmaLinux). Update OpenSSH to 9.6+ if available:sudo dnf update openssh-server openssh-clientsIf the update is not available, disable the affected algorithms in /etc/ssh/sshd_config:Ciphers...

Follow the steps below to remediate this finding on Windows. Update Win32-OpenSSH to version 9.6 or later.If an update is unavailable, edit sshd_config to disable the affected algorithms:Ciphers -chacha20-poly1305@openssh.com MACs -hmac-sha2-256-etm@openssh.co...

Follow the steps below to remediate this finding on Linux (Debian/Ubuntu). Edit /etc/ssh/sshd_config and restrict the KexAlgorithms directive to strong algorithms:KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp38...

Follow the steps below to remediate this finding on Linux (RHEL/CentOS/AlmaLinux). Edit /etc/ssh/sshd_config and restrict the KexAlgorithms directive:KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-n...

Follow the steps below to remediate this finding on Windows. Edit C:\ProgramData\ssh\sshd_config and add or update:KexAlgorithms curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha...

Follow the steps below to remediate this finding on Microsoft IIS webserver. Use IIS Crypto (free tool) to disable anonymous (NULL) cipher suites.Open IIS Crypto, select the "Best Practices" template or manually uncheck all cipher suites containing "ANON" or "...

Follow the steps below to remediate this finding on Nginx webserver. In your nginx.conf, configure ssl_ciphers to exclude anonymous and NULL suites:ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AE...

Follow the steps below to remediate this finding on Apache webserver. In your Apache SSL configuration (e.g., ssl.conf or VirtualHost), set:SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-...

Follow the steps below to remediate this finding on Plesk. Log in to the Plesk control panel.Navigate to Domains > your domain > SSL/TLS Certificates.Use the SSL/TLS settings to configure allowed cipher suites, or navigate to Apache & nginx Settings and add th...

Follow the steps below to remediate this finding on Microsoft IIS webserver. Obtain a certificate from a publicly trusted Certificate Authority (CA) such as Let's Encrypt, DigiCert, or Sectigo.In IIS Manager, select your site and click Bindings.Edit the HTTPS ...