[Snort-users] interesting information on ACID

Jason K. Boykin jboykin at ...9552...
Fri Jul 18 11:14:10 EDT 2003


I run nessus almost weekly on one of our test servers and have never seen 
this.  It might be because we run only HTTPS (port 443) instead of HTTP (port 
80).  All HTTP requests are rejected.  You might try e-mailing the creators 
of ACID to see if they are aware if this really is the case.

Anyone else run nessus against a regular HTTP server with ACID lately and get 
the sql injection vulnerability?

On Friday 18 July 2003 08:36 am, Scott Renna wrote:
> Hello Snort users,
>
> So I ran a Nessus scan against one of my test IDS boxes and it came back
> with some very interesting results:
>
> The following URLs seem to be vulnerable to various SQL injection
> techniques :
>
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='UNION'&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='&current_view=&action_arg=&                  =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='%22&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller=9%2c+9%2c+9&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='bad_bad_value&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller=bad_bad_value'&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='+OR+'&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='WHERE&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller=%3B&current_view=&action_arg=&                  =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='OR&current_view=&action_arg=&                  =
>
>
>
> An attacker may exploit this flaws to bypass authentication
> or to take the control of the remote database.
>
>
> Solution : Modify the relevant CGIs so that they properly escape
> arguments
> Risk Factor : Serious
> See also : http://www.securiteam.com/securityreviews/5DP0N1P76E.html
>
> Has anyone else seen such things?  I've not tested any techniques on it
> yet, as I've more been focused on working with barnyard.  Anyone know
> anything further on this?
>
> Scott
>
> ***************************
> Scott Renna
> Head Systems Administrator
> Dynamic Animation Systems
> 703-503-0500
>
> ***************************





More information about the Snort-users mailing list