HIGHCGI Generic SQL Injection (blind)

Discussion forum about Anuko Time Tracker
Post Reply
adminhp
Posts: 18
Joined: Fri Oct 21, 2011 5:10 pm

HIGHCGI Generic SQL Injection (blind)

Post by adminhp » Wed Oct 04, 2017 9:33 pm

While running Nessus vulnerability scan on timetracker, I am getting the following error. Timetracker version is 1.9.10.3371 running on Apache 2.4.28. Details are below. Have anyone seen this and is there a fix>

Thanks.

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'password' parameter of the /login.php CGI :

/login.php?browser_today=&login=&btn_login=Login&password=zz&login=&btn_
login=Login&password=yy

-------- output --------
<td align="right">Password:</td>
<td>
<input type="password" name="password" id="password" size="25" style="w
idth: 220px;" maxlength="50" value=""></td>
</tr>
<tr>
-------- vs --------
<td align="right">Password:</td>
<td>
<input type="password" name="password" id="password" size="25" style="w
idth: 220px;" maxlength="50" value="yy"></td>
</tr>
<tr>
------------------------


Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'login' parameter of the /login.php CGI :

/login.php [browser_today=&password=&btn_login=Login&login=zz&password=&
btn_login=Login&login=yy]

-------- output --------
</head>

<body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0" onLo
ad="document.loginForm.login.focus()">


-------- vs --------
</head>

<body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0" onLo
ad="document.loginForm.password.focus()">
------------------------

wrc
Posts: 244
Joined: Tue May 25, 2010 8:30 pm

Re: HIGHCGI Generic SQL Injection (blind)

Post by wrc » Fri Oct 06, 2017 9:05 pm

Looks like a false positive from the Nessus product you are using. Why don't you ask them what the mean exactly and how they are able to access the database directly? Both login and password strings appear to be properly $mdb2->quoteD in Auth_db.class.php - if you use DB auth. Not sure about LDAP.

I'd like to see more details about the vulnerability, if one actually exists.

wrc
Posts: 244
Joined: Tue May 25, 2010 8:30 pm

Re: HIGHCGI Generic SQL Injection (blind)

Post by wrc » Fri Oct 06, 2017 9:10 pm

Also perhaps try using UNMODIFIED and the latest version of Time Tracker to see if it makes any difference. I tried to use a GET with the parameters quoted in your post and I see a different result:

Anuko Time Tracker 1.12.2.3672

Code: Select all

/login.php?browser_today=&login=&btn_login=Login&password=zz&login=&btn_login=Login&password=yy

Code: Select all

  </tr>
  <tr>
    <td align="right">Password:</td>
    <td>
	<input type="password" id="password" name="password" size="25" style="width: 220px;" maxlength="50" value="yy"></td>
  </tr>
  <tr>
Seems like nothing to worry about until we see some proof that the vulnerability exists? They may be confusing the Login and Password fields and also the fact that the Login may be pre-populated from user cookie and, therefore, may look different.

Post Reply