HIGHCGI Generic SQL Injection (blind)

Discussion forum about Anuko Time Tracker

HIGHCGI Generic SQL Injection (blind)

Postby adminhp » Wed Oct 04, 2017 9:33 pm

While running Nessus vulnerability scan on timetracker, I am getting the following error. Timetracker version is 1.9.10.3371 running on Apache 2.4.28. Details are below. Have anyone seen this and is there a fix>

Thanks.

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'password' parameter of the /login.php CGI :

/login.php?browser_today=&login=&btn_login=Login&password=zz&login=&btn_
login=Login&password=yy

-------- output --------
<td align="right">Password:</td>
<td>
<input type="password" name="password" id="password" size="25" style="w
idth: 220px;" maxlength="50" value=""></td>
</tr>
<tr>
-------- vs --------
<td align="right">Password:</td>
<td>
<input type="password" name="password" id="password" size="25" style="w
idth: 220px;" maxlength="50" value="yy"></td>
</tr>
<tr>
------------------------


Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'login' parameter of the /login.php CGI :

/login.php [browser_today=&password=&btn_login=Login&login=zz&password=&
btn_login=Login&login=yy]

-------- output --------
</head>

<body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0" onLo
ad="document.loginForm.login.focus()">


-------- vs --------
</head>

<body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0" onLo
ad="document.loginForm.password.focus()">
------------------------
adminhp
 
Posts: 14
Joined: Fri Oct 21, 2011 5:10 pm

Re: HIGHCGI Generic SQL Injection (blind)

Postby wrc » Fri Oct 06, 2017 9:05 pm

Looks like a false positive from the Nessus product you are using. Why don't you ask them what the mean exactly and how they are able to access the database directly? Both login and password strings appear to be properly $mdb2->quoteD in Auth_db.class.php - if you use DB auth. Not sure about LDAP.

I'd like to see more details about the vulnerability, if one actually exists.
wrc
 
Posts: 204
Joined: Tue May 25, 2010 8:30 pm

Re: HIGHCGI Generic SQL Injection (blind)

Postby wrc » Fri Oct 06, 2017 9:10 pm

Also perhaps try using UNMODIFIED and the latest version of Time Tracker to see if it makes any difference. I tried to use a GET with the parameters quoted in your post and I see a different result:

Anuko Time Tracker 1.12.2.3672

Code: Select all
/login.php?browser_today=&login=&btn_login=Login&password=zz&login=&btn_login=Login&password=yy


Code: Select all
  </tr>
  <tr>
    <td align="right">Password:</td>
    <td>
   <input type="password" id="password" name="password" size="25" style="width: 220px;" maxlength="50" value="yy"></td>
  </tr>
  <tr>


Seems like nothing to worry about until we see some proof that the vulnerability exists? They may be confusing the Login and Password fields and also the fact that the Login may be pre-populated from user cookie and, therefore, may look different.
wrc
 
Posts: 204
Joined: Tue May 25, 2010 8:30 pm


Return to Time Tracker

Who is online

Users browsing this forum: Bing [Bot] and 2 guests