Hello community, hope all are well this morning, afternoon or evening :)
I have been going through the process of server hardning, resolving all those issues you get with a new server to make it PCI compliant etc. - when I came across this, but I really am a bit of a SQL Injection nweb so I would like if someone could take a look and see, is this just false positive nonsense or is there somthing in it? For the two URLs one shows standard Joomla 404 component not found HTTP/1.1" 404, other just blank page no code at all and HTTP/1.1" 200. No httpd error or warnings produced in log. Joomla! 3.4.8, VirtueMart 3.0.12. Thank you for reading and any advice :-*
Status: Automatic Failure as listed by the PCI SSC (This must be resolved for your device to be compliant)
Plugin: "CGI Generic SQL Injection (blind)"
Category: "CGI abuses" Priority Urgent
Synopsis:
A CGI application hosted on the remote web server is potentially prone to SQL injection attack. Description:
By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system. Note that this script is experimental and may be prone to false positives.
See also: http://www.securiteam.com/securityreviews/5DP0N1P76E.html http://www.securitydocs.com/library/2651http://projects.webappsec.org/SQL-Injection
Risk factor HIGH / CVSS BASE SCORE :7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Plugin output:
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to blind SQL injection :
+ The 'format' parameter of the /index.php CGI :
/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy
-------- output --------{"success":true,"message":null,"messages":null,"data":null}
-------- vs --------------------------------
+ The 'option' parameter of the /index.php CGI :
/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxyy
-------- output --------HTTP/1.1 200 OK
-------- vs --------HTTP/1.1 404 Component not found.------------------------
Solution:
Modify the affected CGI scripts so that they properly escape arguments.
Report as False Positive.
If you believe this vulnerability is a false positive, already patched or compensating controls exist within your infrastructure please click the link above. A security expert will review your submission and accept or reject the report.
&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData
what is this doing??
option=com_ajaxyy means that this vulnerability is detected in the ajaxxy component (NOT in Virtuemart)
Yes
Therefore - what additional plugins and components is he running
Fresh install, Joomla and Virtuemart - nothing else.
Quote from: balai on February 24, 2016, 10:07:48 AM
option=com_ajaxyy means that this vulnerability is detected in the ajaxxy component (NOT in Virtuemart)
The com_ajaxxY (where xY comes from idk) is actually in the url that responds with 404, its the other url that show 200 ok
and how is this wild and wacky url generated?
/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy
Its "Generic SQL Injection" detection plugin for nessus I think? Wild and Wacky indeed :D
I suggest going to your joomla's components folder and check if there is any folder named com_ajax(yy)
If it is, better remove it.
Otherwise check for possible redirects of urls containing com_ajaxyy to other urls
Quote from: balai on February 24, 2016, 11:24:37 AM
I suggest going to your joomla's components folder and check if there is any folder named com_ajax(yy)
If it is, better remove it.
Otherwise check for possible redirects of urls containing com_ajaxyy to other urls
com_ajax is part of the full Joomla install, the yy seems to be added to the 'wacky' url by the sql injection detection script however, the URL that responds 200 OK which is the url suspect of problem is not the URL that contains the com_ajaxyy parameter. I think perhaps you are not guiding me down the right road.
The questions is, 'does this sql injection dectection script find anything potentially prone to SQL injection attack or is just false positive?' the url in question that returns 200ok, when should return 404 or somthing is as below, the other url returns 404 which is ok.
/index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy
I really dont know anything much about SQL injection, or this detection script but you need to /escape things ;) I wish I could escaper dis thread :D its prob nothing!?
Quotethe URL that responds 200 OK which is the url suspect of problem is not the URL that contains the com_ajaxyy parameter.
200 http code has nothing to do with the injection. This means that the server answered with success to the client's request but you have no idea what happened in the server side.
I repeat again that the url you submitted is calling the com_ajax component and not Virtuemart.
Now if you want to get an insight about being positive or not, this needs code debugging.
This cannot be determined by the url. Anybody can enter anything as url, the matter is what happens in the server.
https://en.wikipedia.org/wiki/SQL_injection
I take on board what you are saying, but with any url should respond 404 and only 200 OK when returning a vaild url... neither url should be returning 200ok and the one that is returning 200ok is the one without the ajax parameter. I dont care about the url with ajax in it because it returns 404.
Ok which is the option param of the 200ok url?
I don't see option=com_virtuemart at any of your urls
Also your report states
QuoteBy sending specially crafted parameters to one or more CGI scripts hosted on the remote web server
This is a CGI script and not something supplied by VM. Possibly you have custom cgi scripts in your server or get hacked
I will go over to Joomla and post there, just more familiar with here, i like you guys (^_^)
If any Expert opinions on this matter please do respond, thank you! :)
Quote from: balai on February 24, 2016, 12:16:50 PM
Quoteurl you submitted is calling the com_ajax component and not Virtuemart.
Sorry I see option=com_ajax in the middle of the first url now i posted over there... Ooops ;)
have you tried to report it as a false positive?
this is standard joomla behavior when you request random things , when there is nothing to return.
ofcourse, in your error.php, you could always check if empty component, if so raise 404 error
Hi PRO! Thank you for your reply.
I have not tried to report as false positive but expect it to be false positive, just wanted an SQL Injection Expert's opinion on the matter ;)
Its standard to return 200OK on random 'wacky' urls? oO
The PEN SQL Injection script works as follows, from https://www.owasp.org/
QuoteIf the request (1) provides the same result as request (0) and request (2) doesn't, the scanner will conclude that SQL injection is possible.
then they go on the say...
QuoteAnother global issue concerning SQL injection is the fact that pen testers frequently conclude that a given SQL injection vulnerability can't be exploited. By concluding this incorrect statement they are inviting their customers to not patch the vulnerability.
So reading that last bit I just wanted to make sure was a false positive ;)
Thank you - still dont know if is false positive or not though (^_^) maybe I should monitor the SQL queries as I run the specific detection script.
Regards to ALL :)
Quote from: AH on February 24, 2016, 09:36:04 AM
&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData
what is this doing??
sql scanners just try to hammer urls with other things they find.
For example, they might have found the jform somewhere on the site.
Then, try & post that to somewhere else.
&& that's the thing, joomla components, mainly use jrequest, vrequest to get the data they need. & only the data they need.
So, most of the time, this BS would not even make it into the post/get
BUT! it could stay in the url.
You can take a product url, and add this to the end of the url &jj=100=600&AH=PCI_compliant&virtuemart=forum&this=1
& nothing changes. Vmart component, is only going to grab the parts of the url needed.
Quote from: rjcroasdale on February 24, 2016, 15:41:13 PM
Its standard to return 200OK on random 'wacky' urls? oO
I cannot reproduce this on my site, not from the urls you posted.
do you have a url I can reproduce this on? Then, I can tell you how to atleast make the response change to what they want.
[26/Feb/2016:18:08:37 +0000] "GET /index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&format=json&id=1&jform[username]=&limitstart=&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&option=com_ajaxyy HTTP/1.1" 404
[26/Feb/2016:18:03:25 +0000] "GET /index.php?virtuemart_product_id[]=300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonzz300&username=&type=rss&tmpl=component&task=&showproducts=1&quantity[]=1&productsublayout=0&print=1&pname=Multi%20Variant&pid=300&jform[password2]=&jform[password1]=&jform[name]=&jform[email]=&jform[email2]=&jform[email1]=&customProductData[176][22]=292&catid=2&addtocart=Add%20to%20Cart&Itemid=&9430c3f75bf9ddde8f14c6df2973d6cf=1&dir=DESC&filter-search=&filter_order=&filter_order_Dir=&id=1&jform[username]=&limitstart=&option=com_ajax&orderby=product_name&password=&remember=yes&return=aHR0cDovL3d3dy5wc3ludXguY28udWsvaW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9MSUzQWdldHRpbmctc3RhcnRlZCZjYXRpZD0yJkl0ZW1pZD0xMDE%3d&searchword=&showall=1&showcategory=1&view=article&virtuemart_category_id=2&virtuemart_manufacturer_id=1&virtuemart_product_id=300&format=jsonyy HTTP/1.1" 200
Hello and thank you for your posts :)
Unfortunately I am having an issue with the (joomla) FPA script as per http://forum.joomla.org/viewtopic.php?f=621&t=656394&start=90#p3370990
I am therefore giving you the information that seems relevant for now. Thank you and sorry for the delay in finding the time for this.
OS Centos 7
PHP 5.4.16
MySQLi 5.5.44
Caching Enabled
GZip Enabled
Database Collation latin1_swedish_ci
Web Server Apache
WebServer to PHP Interface apache2handler
Joomla! Version Joomla! 3.4.8 Stable [ Ember ] 24-December-2015 19:30 GMT
Joomla! Platform Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
dbtype mysqli
sef 1 *(actually was 0 when running the injection detection)
sef_rewrite 1 *(actually was 0 when running the injection detection)
memcache_persist 1
All files and folders locked aside from /cache /administrator/cache /logs and /tmp which are fully writeable by Apache
Relevant PHP Settings
Setting Value
Safe Mode Off
Open basedir None
Display Errors Off
Short Open Tags Off
File Uploads On
Magic Quotes Off
Register Globals Off
Output Buffering On
Session Auto Start 0
XML Enabled Yes
Zlib Enabled Yes
Native ZIP Enabled Yes
Disabled Functions None
Multibyte String Enabled Yes
Iconv Available Yes
When the (joomla) FPA script was working, prior to installing PHP XML I did notice the message that potentially some modules were missing - is there a list of required modules or can someone post them please?
Aside from the FPA notice of required modules and the SQL injection detection script detection, false positive or not, everything seems to be working great!
FAO the Moderator! - IF I GAVE ANY POTENTIALLY SESNSITIVE INFO PLEASE MASK IT, or someone else please tell me so I can edit the post to mask that info.
Thank you all and as always Regards to All (^_^)
Quote from: rjcroasdale on February 24, 2016, 12:40:51 PM
I take on board what you are saying, but with any url should respond 404 and only 200 OK when returning a vaild url
This not correctly said. A valid URL ist determined by the format. A 404 just meant in old times, the request file was not found. In joomla, you always use the index.php. So actually any 404 in joomla is not a 404, because the request page was there. It just says that the requested "meta" page, could not be delivered.
There exists for any canonical URL an unlimited number of valid URLs even pointing to the correct content!
Thanks for the info Milbo (^_^) best regards bra :)
Hi,
Your script only return "possible" URL, that you can use to hack a site.
This not mean that you can use it.
Eg adding &test=select password from jos_user in your link is a valid URL, but because "test" is not used in any case, this not permit to hack a mysql query.
Quote from: Studio 42 on March 01, 2016, 11:23:22 AM
Hi,
Your script only return "possible" URL, that you can use to hack a site.
This not mean that you can use it.
Eg adding &test=select password from jos_user in your link is a valid URL, but because "test" is not used in any case, this not permit to hack a mysql query.
Hello Studio! Thank you for your reply :)
Yes I agree, its only a possible or a false positive. I'm guessing to test it properly I actually have to monitor the SQL queries live on the server and try to either pull data out or put data in. Thank you and Regards to all.