Unsolved
8 Posts
0
2434
January 12th, 2022 09:00
OMSA 10.1 Vulernable to CGI Generic SQL Injection?
Our Tenible Nessus scanner is saying that OMSA 10.1 is Vulnerable to
CGI Generic SQL
Injection (blind,
time based)
Severity HIGH
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to blind SQL injection (time based) :
+ The 'searchQuery' parameter of the /help/omahip/en/search.html CGI :
/help/omahip/en/search.html?searchQuery='%20AND%20SLEEP(21)='
-------- output --------
------------------------
Synopsis: A CGI application hosted on the remote web server is potentially prone to SQL injection attack.
Description: By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a slower
response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database.
An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the
remote operating system.
Note that this script is experimental and may be prone to false positives
Solution: Modify the affected CGI scripts so that they properly escape arguments.
See Also: http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.nessus.org/u?ed792cf5
http://projects.webappsec.org/w/page/13246963/SQL%20Injection
Risk Factor: High
CVSS V3 Base Score:
Dell-Martin S
Moderator
•
3.5K Posts
0
January 13th, 2022 05:00
Hi kevins,
thank you for your feedback i will forward this to our Software team.
Did you try also our newest Version( 10.2)?
https://dell.to/33pX2PL
Did you have any further questions?
Regards Martin
kevins7189-2
8 Posts
0
January 16th, 2022 06:00
struggling to find 10.2 in a Redhat version.
Origin3k
4 Operator
•
2.4K Posts
0
January 16th, 2022 14:00
@Dell-Martin S
maybe you can also ask why a management application try to download external stuff and may leak sensitive information because of query to "https://fonts.googleapis.com/css?family=Noto+Sans+JP:300,400,500,700|Noto+Sans+KR:300,400,500,700|Noto+Sans+SC:300,400,500,700|Noto+Sans+TC:300,400,500,700|Noto+Sans:400,400i,700,700i|Roboto:300,300i,400,400i,500,500i,700,700i&display=swap&subset=chinese-simplified,chinese-traditional,japanese,korean"
@kevins7189-2
iam not sure how smart nessus is but we have a 20sec. delay because of access to google is not possible in our management network and this will slow down OMSA when using a normal browser.
Regards,
Joerg
DELL-Charles R
Moderator
•
4.7K Posts
0
April 13th, 2022 12:00
Hello laakins,
I am not finding anything related in our Security Advisories and Notices:
https://dell.to/36gGNXa
I will do some checking and update you.
laakins
1 Message
0
April 13th, 2022 12:00
We are running 10.2 and get the same Nessus plugin output in addition to two additional CGI related findings. Any help would be greatly appreciated.
44967 - CGI Generic Command Execution (time-based)
Note that this script uses a time-based detection method which is less reliable than the basic method.
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to arbitrary command execution (time based) :
+ The 'searchQuery' parameter of the /help/omahip/en/search.html CGI :
/help/omahip/en/search.html?searchQuery=%26%20ping%20-n%2021%20127.0.0.1
%20%26
-------- output --------
------------------------
An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.
Note that this script is experimental and may be prone to false positives.
+ The following resources may be vulnerable to blind SQL injection :
+ The 'app' parameter of the /HelpViewer CGI :
/HelpViewer?file=Redirect&app=oma'||'Redirect&app=oma
-------- output --------
HTTP/1.1 302
-------- vs --------
HTTP/1.1 400
------------------------
Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)
An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.
Note that this script is experimental and may be prone to false positives.
+ The following resources may be vulnerable to blind SQL injection (time based) :
+ The 'searchQuery' parameter of the /help/omahip/en/search.html CGI :
/help/omahip/en/search.html?searchQuery='%20AND%20SLEEP(21)='
-------- output --------
------------------------
DELL-Charles R
Moderator
•
4.7K Posts
0
April 14th, 2022 13:00
Hello laakins,
This was decided as not an issue for OMSA.
OMSA does not use SQL and cannot parse SQL syntax so it would not be applicable.
The other one is not applicable either. It is referencing /help/omahip/en/search.html which is just the mechanism that the OMSA Online Help is launched. search.html is the mechanism for how it pulls the relevant page to where you are and the search query isn't going to provide an attacker anything.