Nessus scanner reports CGI SQL injection vulnerability to plugin ID 43160 using Veritas Infoscale Operations Manager (VIOM) 8.0.0.500
Article ID: 100060709
Updated On:
Description
Description
Nessus scanner reports CGI SQL injection vulnerability to plugin ID 43160 using Veritas Infoscale Operations Manager (VIOM) 8.0.0.500.
Information on plugin 43160:
https://www.tenable.com/plugins/nessus/43160
Running the Nessus scanner on the VIOM Management Server, the following vulnerability is reported:
Plugin ID: 43160
Plugin Name: CGI Generic SQL Injection (blind, time based)
TCP Port: 14161
Plugin Output: Using the POST HTTP method, Nessus found that :
+ The following resources may be vulnerable to blind SQL injection (time based) :
+ The 'sessionExpire' parameter of the /vom/login CGI :
/vom/login [sessionExpire=true%20AND%20SLEEP(21)=0]
-------- output --------
Synopsis: A CGI application hosted on the remote web server is potentially prone to SQL injection attack.
Description: By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a slower response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database.
An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.
Note that this script is experimental and may be prone to false positives.
Solution: Modify the affected CGI scripts so that they properly escape arguments.
Impact
The vulnerability was discussed with the VIOM engineering team and it was confirmed that there cannot be an SQL injection since credentials are not stored in the database, with VIOM using operating system authentication. Therefore, the warning is considered a false positive and can be disregarded.
Environment
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Issue/Introduction
Additional Information
