Detections
Analytics

CGI Generic SQL Injection

high Nessus Plugin ID 11139

Synopsis

A web application is potentially vulnerable to SQL injection.

Description

By providing specially crafted parameters to CGIs, Nessus was able to get an error from the underlying database. This error suggests that the CGI is affected by a SQL injection vulnerability.

An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

Solution

Modify the relevant CGIs so that they properly escape arguments.

See Also

https://www.owasp.org/index.php/SQL_Injection

https://en.wikipedia.org/wiki/SQL_injection

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

http://www.nessus.org/u?ed792cf5

http://projects.webappsec.org/w/page/13246963/SQL%20Injection

Plugin Details

Severity: High

ID: 11139

File Name: torture_cgi_sql_injection.nasl

Version: 2.30

Type: remote

Family: CGI abuses

Published: 7/23/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: Settings/enable_web_app_tests

Reference Information

CWE: 20, 203, 209, 713, 717, 722, 727, 751, 77, 801, 810, 89, 928, 929, 933