-----Original Message-----
From: Henrik Stoerner [mailto:user-ce4a2c883f75@xymon.invalid] Sent: Thursday, March 22, 2007 21:26
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] Hobbit Security Issue?
On Thu, Mar 22, 2007 at 05:36:16PM +0000, Gore, David W (David) wrote:
Perhaps someone more familiar with security can help me with this? Or
perhaps it's a false positive? We scan or hosts for security and my
score just went up more than three fold. This was the worst offender:
wpoison (nasl version)
Long Desc: The following URLs seem to be vulnerable to BLIND SQL
injection techniques :
Someone else already answered that this is a false positive. Not
uncommon with generic web vulnerabilities, unfortunately. But let me
explain how Hobbit handles this request.
(Bit of background: I've been doing penetration tests for a few years
back in 2000-2001 when SQL injection techniques started appearing in
scanners).
/hobbit-cgi/bb-hostsvc.sh?-='+AND+'b'>'a&HOST=myhost&SERVICE=info
This is a URL with three parameters:
1) -='+AND+'b'>'a
2) HOST=myhost
3) SERVICE=info
When the hobbitsvc.cgi program receives this URL, it breaks it down into
these three. Then it tries to identify each of them as parameters it
knows about. The first one doesn't match anything, so it is ignored.
The other two are recognized, and you get an "OK" response back with the info-page for that host.
I wrote the code so I am obviously biased, but I would argue that this
is how one *should* handle CGI parameters: Just ignore the ones you
don't know, and validate the ones you will be using.
BTW, the sourcecode for the Nessus plugin your security people used to find this is available at
http://www.nessus.org/plugins/index.php?view=viewsrc&id=11139
It rather blindly assumes that the CGI's being fed this test do in
fact pass them to some SQL parser. I'll bet that it gets a lot of
false positives. I haven't tested it, but from my reading of the code
even a simple "Hello, world!" CGI would trigger this.
Regards,
Henrik