Hobbit Security Issue?
list David W David Gore
Perhaps someone more familiar with security can help me with this? Or perhaps it's a false positive? We scan or hosts for security and my score just went up more than three fold. This was the worst offender: wpoison (nasl version) Long Desc: The following URLs seem to be vulnerable to BLIND SQL injection techniques : /hobbit-cgi/bb-hostsvc.sh?-='+AND+'b'>'a&HOST=myhost&SERVICE=info Obviously Hobbit doesn't use SQL, but we do have a running mysql instance running on the host. Our mysql instance is not used by hobbit. Any suggestions? Our mysql instance: mysql Ver 14.12 Distrib 5.0.27, for redhat-linux-gnu (i686) using readline 5.0 ~David
list Stewart Larsen
verify how your scanner determines the vulnerability. I have used one that attempts to hit the page with valid data and gets the response. Then they attempt to exploit and check the response. If the data that they send has no effect on the response from the server, they conclude that their exploit might have been successful. That's exactly what is happening here, and the code appears to be solid and there does not appear to be an issue. Get your security folks to flag this as a false positive in their scanning tool. The extra bits that get passed in are tossed on the floor and not used, they have no effect and are not a security issue. stewart
▸
Perhaps someone more familiar with security can help me with this? Or perhaps it's a false positive? We scan or hosts for security and my score just went up more than three fold. This was the worst offender: wpoison (nasl version) Long Desc: The following URLs seem to be vulnerable to BLIND SQL injection techniques : /hobbit-cgi/bb-hostsvc.sh?-='+AND+'b'>'a&HOST=myhost&SERVICE=info Obviously Hobbit doesn't use SQL, but we do have a running mysql instance running on the host. Our mysql instance is not used by hobbit. Any suggestions? Our mysql instance: mysql Ver 14.12 Distrib 5.0.27, for redhat-linux-gnu (i686) using readline 5.0 ~David
--
Stewart Larsen
list Henrik Størner
▸
On Thu, Mar 22, 2007 at 05:36:16PM +0000, Gore, David W (David) wrote:
Perhaps someone more familiar with security can help me with this? Or perhaps it's a false positive? We scan or hosts for security and my score just went up more than three fold. This was the worst offender: wpoison (nasl version) Long Desc: The following URLs seem to be vulnerable to BLIND SQL injection techniques :
Someone else already answered that this is a false positive. Not uncommon with generic web vulnerabilities, unfortunately. But let me explain how Hobbit handles this request. (Bit of background: I've been doing penetration tests for a few years back in 2000-2001 when SQL injection techniques started appearing in scanners).
/hobbit-cgi/bb-hostsvc.sh?-='+AND+'b'>'a&HOST=myhost&SERVICE=info
This is a URL with three parameters: 1) -='+AND+'b'>'a 2) HOST=myhost 3) SERVICE=info When the hobbitsvc.cgi program receives this URL, it breaks it down into these three. Then it tries to identify each of them as parameters it knows about. The first one doesn't match anything, so it is ignored. The other two are recognized, and you get an "OK" response back with the info-page for that host. I wrote the code so I am obviously biased, but I would argue that this is how one *should* handle CGI parameters: Just ignore the ones you don't know, and validate the ones you will be using. BTW, the sourcecode for the Nessus plugin your security people used to find this is available at http://www.nessus.org/plugins/index.php?view=viewsrc&id=11139 It rather blindly assumes that the CGI's being fed this test do in fact pass them to some SQL parser. I'll bet that it gets a lot of false positives. I haven't tested it, but from my reading of the code even a simple "Hello, world!" CGI would trigger this. Regards, Henrik
list David W David Gore
Thank you Henrik, that is a huge help. ~ David
▸
-----Original Message----- From: Henrik Stoerner [mailto:user-ce4a2c883f75@xymon.invalid] Sent: Thursday, March 22, 2007 21:26 To: user-ae9b8668bcde@xymon.invalid Subject: Re: [hobbit] Hobbit Security Issue? On Thu, Mar 22, 2007 at 05:36:16PM +0000, Gore, David W (David) wrote:Perhaps someone more familiar with security can help me with this? Or perhaps it's a false positive? We scan or hosts for security and my score just went up more than three fold. This was the worst offender:wpoison (nasl version)Long Desc: The following URLs seem to be vulnerable to BLIND SQL injection techniques :Someone else already answered that this is a false positive. Not uncommon with generic web vulnerabilities, unfortunately. But let me explain how Hobbit handles this request. (Bit of background: I've been doing penetration tests for a few years back in 2000-2001 when SQL injection techniques started appearing in scanners)./hobbit-cgi/bb-hostsvc.sh?-='+AND+'b'>'a&HOST=myhost&SERVICE=infoThis is a URL with three parameters: 1) -='+AND+'b'>'a 2) HOST=myhost 3) SERVICE=info When the hobbitsvc.cgi program receives this URL, it breaks it down into these three. Then it tries to identify each of them as parameters it knows about. The first one doesn't match anything, so it is ignored. The other two are recognized, and you get an "OK" response back with the info-page for that host. I wrote the code so I am obviously biased, but I would argue that this is how one *should* handle CGI parameters: Just ignore the ones you don't know, and validate the ones you will be using. BTW, the sourcecode for the Nessus plugin your security people used to find this is available at http://www.nessus.org/plugins/index.php?view=viewsrc&id=11139 It rather blindly assumes that the CGI's being fed this test do in fact pass them to some SQL parser. I'll bet that it gets a lot of false positives. I haven't tested it, but from my reading of the code even a simple "Hello, world!" CGI would trigger this. Regards, Henrik