CGI Generic 2nd Order SQL Injection Detection (potential)

high Nessus Plugin ID 48926

Synopsis

A web application displays SQL error messages.

Description

By calling discovered CGIs with previously gathered values, SQL error messages were induced.

* This could be a result of transient SQL failure :

However, even if the application is not vulnerable to an injection, SQL error messages often reveal the structure of the database and query information. Such information could help an attacker. Further, this may indicate the application is not resilient to increased traffic or unexpected data and could lead to a denial of service problem.

* They might be triggered by a 'second order' SQL injection :

Second Order SQL injection is a term used to describe an injection in which a crafted SQL query is injected into the application, but not immediately acted upon. The injected content may be stored and executed at a later time. An attacker may exploit SQL injections to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

Solution

- Modify the relevant CGIs so that they properly escape arguments.

- Filter error messages out.

See Also

http://www.nessus.org/u?d25a4dfe

http://www.nessus.org/u?c5cd2c92

https://en.wikipedia.org/wiki/SQL_injection

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

http://www.nessus.org/u?05c2d95d

http://www.nessus.org/u?11ab1866

https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

http://www.technicalinfo.net/papers/SecondOrderCodeInjection.html

http://www.nessus.org/u?5946d990

Plugin Details

Severity: High

ID: 48926

File Name: torture_cgi_sql_error_msg.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 8/30/2010

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: Settings/enable_web_app_tests