Re: interesting information on ACID

["Jason K. Boykin" <jboykin () summit-research-corp com>]

I run nessus almost weekly on one of our test servers and have never seen 
this.  It might be because we run only HTTPS (port 443) instead of HTTP (port 
80).  All HTTP requests are rejected.  You might try e-mailing the creators 
of ACID to see if they are aware if this really is the case.

Anyone else run nessus against a regular HTTP server with ACID lately and get 
the sql injection vulnerability?

On Friday 18 July 2003 08:36 am, Scott Renna wrote:
> Hello Snort users,
>
> So I ran a Nessus scan against one of my test IDS boxes and it came back
> with some very interesting results:
>
> The following URLs seem to be vulnerable to various SQL injection
> techniques :
>
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='UNION'&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='&current_view=&action_arg=&                  =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='%22&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller=9%2c+9%2c+9&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='bad_bad_value&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller=bad_bad_value'&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='+OR+'&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='WHERE&current_view=&action_arg=&
> =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller=%3B&current_view=&action_arg=&                  =
> /acid_stat_class.php?num_result_rows=&submit=AL&on=&Screen]=&action=&sor
> t_order=class_a&caller='OR&current_view=&action_arg=&                  =
>
>
>
> An attacker may exploit this flaws to bypass authentication
> or to take the control of the remote database.
>
>
> Solution : Modify the relevant CGIs so that they properly escape
> arguments
> Risk Factor : Serious
> See also : http://www.securiteam.com/securityreviews/5DP0N1P76E.html
>
> Has anyone else seen such things?  I've not tested any techniques on it
> yet, as I've more been focused on working with barnyard.  Anyone know
> anything further on this?
>
> Scott
>
> ***************************
> Scott Renna
> Head Systems Administrator
> Dynamic Animation Systems
> 703-503-0500
>
> ***************************



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users