This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 50%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hello,
We use Nessus Professional to scan for potential internal vulnerabilities on servers and PCs. Recently a potential CGI Generic SQL injection (blind) vulnerabilty was identified on a server. The output of the scan is below. The page showing the vulnerability shows the Port: 8080/tcp/www and the Host - ServerName, on which this application is installed. I am logging onto the server using domain credentials.
It is unclear how I would confirm if this is truly a vulnerability or a false positive. Nessus has referred me to the links, but I am not seeing how this would apply as the results are essentially pointing to logging onto the server, rather than a specific application.
Can anyone provide some guidance on how to address this?
Thanks,
Roger
Description
By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database.
An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.
Note that this script is experimental and may be prone to false positives.
Solution
Modify the affected CGI scripts so that they properly escape arguments.
See Also
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.nessus.org/u?ed792cf5
http://projects.webappsec.org/w/page/13246963/SQL%20Injection
The output of the scan shows the following:
Using the GET HTTP method, Nessus found that :
/Login.jsp?ajax=Y&accountID=free&password=&rememberMe=Y&rememberMeForDis
play=&userName=&paneType=&paneMessage=&paneBtnArrayButtons=&manual=false
&gotoURL=&parentPageName=Login.jsp'||'Y&accountID=free&password=&remembe
rMe=Y&rememberMeForDisplay=&userName=&paneType=&paneMessage=&paneBtnArra
yButtons=&manual=false&gotoURL=&parentPageName=Login.jsp
-------- output --------
HTTP/1.1 200 OK
-------- vs --------
HTTP/1.1 400 Bad Request
/Login.jsp?ajax=Y&accountID=free&parentPageName=Login.jsp&rememberMe=Y&r
ememberMeForDisplay=&userName=&paneType=&paneMessage=&paneBtnArrayButton
s=&manual=false&gotoURL=&password='||'Y&accountID=free&parentPageName=Lo
gin.jsp&rememberMe=Y&rememberMeForDisplay=&userName=&paneType=&paneMessa
ge=&paneBtnArrayButtons=&manual=false&gotoURL=&password=
-------- output --------
HTTP/1.1 200 OK
-------- vs --------
HTTP/1.1 400 Bad Request
/Login.jsp?ajax=Y&accountID=free&parentPageName=Login.jsp&password=&reme
mberMeForDisplay=&userName=&paneType=&paneMessage=&paneBtnArrayButtons=&
manual=false&gotoURL=&rememberMe=Y'||'Y&accountID=free&parentPageName=Lo
gin.jsp&password=&rememberMeForDisplay=&userName=&paneType=&paneMessage=
&paneBtnArrayButtons=&manual=false&gotoURL=&rememberMe=Y
-------- output --------
HTTP/1.1 200 OK
-------- vs --------
HTTP/1.1 400 Bad Request
/Login.jsp?ajax=Y&accountID=free&parentPageName=Login.jsp&password=&reme
mberMe=Y&userName=&paneType=&paneMessage=&paneBtnArrayButtons=&manual=fa
lse&gotoURL=&rememberMeForDisplay='||'Y&accountID=free&parentPageName=Lo
gin.jsp&password=&rememberMe=Y&userName=&paneType=&paneMessage=&paneBtnA
rrayButtons=&manual=false&gotoURL=&rememberMeForDisplay=
-------- output --------
HTTP/1.1 200 OK
-------- vs --------
HTTP/1.1 400 Bad Request
/Login.jsp?ajax=Y&accountID=free&parentPageName=Login.jsp&password=&reme
mberMe=Y&rememberMeForDisplay=&userName=&paneMessage=&paneBtnArrayButton
s=&manual=false&gotoURL=&paneType='||'Y&accountID=free&parentPageName=Lo
gin.jsp&password=&rememberMe=Y&rememberMeForDisplay=&userName=&paneMessa
ge=&paneBtnArrayButtons=&manual=false&gotoURL=&paneType=
-------- output --------
HTTP/1.1 200 OK
-------- vs --------
HTTP/1.1 400 Bad Request
/Login.jsp?ajax=Y&accountID=free&parentPageName=Login.jsp&password=&reme
mberMe=Y&rememberMeForDisplay=&userName=&paneType=&paneBtnArrayButtons=&
manual=false&gotoURL=&paneMessage='||'Y&accountID=free&parentPageName=Lo
gin.jsp&password=&rememberMe=Y&rememberMeForDisplay=&userName=&paneType=
&paneBtnArrayButtons=&manual=false&gotoURL=&paneMessage=
-------- output --------
HTTP/1.1 200 OK
-------- vs --------
HTTP/1.1 400 Bad Request
/Login.jsp?ajax=Y&accountID=free&parentPageName=Login.jsp&password=&reme
mberMe=Y&rememberMeForDisplay=&userName=&paneType=&paneMessage=&manual=f
alse&gotoURL=&paneBtnArrayButtons='||'Y&accountID=free&parentPageName=Lo
gin.jsp&password=&rememberMe=Y&rememberMeForDisplay=&userName=&paneType=
&paneMessage=&manual=false&gotoURL=&paneBtnArrayButtons=
-------- output --------
HTTP/1.1 200 OK
-------- vs --------
HTTP/1.1 400 Bad Request
/Login.jsp?ajax=Y&accountID=free&parentPageName=Login.jsp&password=&reme
mberMe=Y&rememberMeForDisplay=&userName=&paneType=&paneMessage=&paneBtnA
rrayButtons=&gotoURL=&manual=false'||'Y&accountID=free&parentPageName=Lo
gin.jsp&password=&rememberMe=Y&rememberMeForDisplay=&userName=&paneType=
&paneMessage=&paneBtnArrayButtons=&gotoURL=&manual=false
-------- output --------
HTTP/1.1 200 OK
-------- vs --------
HTTP/1.1 400 Bad Request
/Login.jsp?ajax=Y&accountID=free&parentPageName=Login.jsp&password=&reme
mberMe=Y&rememberMeForDisplay=&userName=&paneType=&paneMessage=&paneBtnA
rrayButtons=&manual=false&gotoURL='||'Y&accountID=free&parentPageName=Lo
gin.jsp&password=&rememberMe=Y&rememberMeForDisplay=&userName=&paneType=
&paneMessage=&paneBtnArrayButtons=&manual=false&gotoURL=
-------- output --------
HTTP/1.1 200 OK
-------- vs --------
Did you try to access the Web application using the second sample URL in browser (but adding the missing prefix of URL)? What page was displayed?
Sorry, do you mean the URL of the host server? Currently when I access the application using http://servername:8080/Login.jsp I get a normal dialog where I need to enter a user name and password before I can access the application.
What are you referring to?
Thanks
I mean the application that was scanned by the tool. Probably it is your http://servername:8080. Try entering the full address “http://servername:8080/Login.jsp?ajax=Y&accountID=free...” etc., which was reported as suspicious.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 46%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi vallee,
Did the answers help you?
Please feel free to let us know if you have any other question.
If you find any post in the thread is helpful, you could kindly accept it as answer.
Best Regards,
Amelia
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
This is really a web site issue and nothing to do with SQL Server. This is telling you the injection attack did not return the expected error. It does not mean it actually worked or did anything.
I suggest you read this and follow the links to fix your website scripts:
I think this is something that should be investigated, but the correct place to ask about this is forum where discuss web-site development. Someone needs to check the code, to see if there can be SQL injection.
What is a little funny is that they seem to be trying to inject || which means nothing in SQL Server. But this is the operator for string concatenation in ANSI SQL, and used on Oracle and several others.
Hi vallee,
To secure an application against SQL injection, both PreparedStatements and stored procedures compile the SQL statement before the user input is added, making it impossible for user input to modify the actual SQL statement. Please refer to Blind SQL Injection and SQL Injection Prevention Cheat Sheet which might help.
For the web application issue, you can open a thread on the ASP.NET forum so that people there will help you more effectively.
Best Regards,
Amelia
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 80%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hi vallee2018, is this issue fixed ? please let us know we are also facing same issue