Security Issues found by Site Scanner

I have recently had trouble with attacks on my sites. As a result of this I transferred to a new host that had more security tools. The new host runs a process that looks at the site for vulnerabilities.
They reported 1 critical issue (site vulnerable to SQL Injection attacks). There is also a warning (backend SQL can be identified).
There are also 5 informational items identified.

The message received concerning the critical issue is
Your website is vulnerable to SQL injection attacks.

When providing specially crafted parameters to your site, Site Scanner received an error from the underlying databse. The error indicates that your site might be vulnerable to SQL injection attacks. An attacker could use this vulnerability to bypass authentication, read confidential data, modify the remote database, or possibly take control of the remote server.

Risk Factor:
High / CVSS Base Score : 7.5(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution:
Modify the relevant cgis so that they properly escape arguments.
`
Output:
------------------------ ` This is obviously the main problem that needs to be fixed and I would appreciate your input. The website I am having problems with is www.clipart-people.com This site is running the latest version I have also uploaded a document with all the issues found on my site to <link removed by administrator> I really like ZenPhoto and will research all I can about making my sites more secure, but this problem is a little beyond me.

Comments

  • acrylian Administrator
    Thanks for the note, our chief dev sbillard will comment on these later today as well. First thoughts from me beforehand that:

    • Critical: As you see the query fails with an error. The example leaves a basic required parameter (the album folder name) empty so the query must fail anyway. We do escape all queries actually (I hope we did not forget one!). Did you try to inject code actually?
    • #1 GET methodes are escaped actually, there should no code be left to execute.
    • #2 I don't understand the issue. Zenphoto uses cookies as many others do. You can disable them and use sessions for example if you like. Zenphoto 1.4.2 will also allow http authentification.
    • #3 Well, sure bad crawlers don't care about robots.txt. But the good ones do. And it is very easy to find out about these as we are open source. User proper permissions and it should not be an issue actually. Using robots.txt is also optional, so you can just remove it anyway.
    • #4 As the solution says this is a server configuration thing regarding directory listing. However, the examples /page, /news and /pages given are not directories but rewritten urls.
    As said my collegue will comment later as well.
  • The critical issue is indeed an oversite that we will correct.

    #1 is not reproducable by me. The only symptom I can get from that URL is a CGI error. However, at least with PHP 5.3.5 no reflection of the URI or parameter has happened. Perhaps this is an issue for an earlier version of PHP.

    #, #3 and #4 are as acrylian has said
  • acrylian Administrator
    We have removed the code example and link. A fix will be in the nightly build of 1.4.2 beta after tonight.
Sign In or Register to comment.