PowerProtect: Appliance DM5500 - Security scan detects "CGI Generic SQL Injection (blind)" on port 443
Summary: PowerProtect Data Manager Appliance [DM5500]: The Security Vulnerability scanner detects "CGI Generic SQL Injection (blind)" on port 443 as False Positive.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
The Security Vulnerability scanner (detects the following on DM5500:
| Plugin ID | Risk | Host | Port | Name | Synopsis | Description | Plugin Output |
| 42424 (EXTERNAL LINK) | High | Appliance | TCP/443 | CGI Generic SQL Injection (blind) | A CGI application hosted on the remote web server is potentially prone to SQL injection attacks. | The scanning software can get different returns by sending specially crafted parameters to the CGI script hosted on the web server. This suggests that it could modify the behavior of the application and directly access the underlying database.
This could allow an attacker to bypass authentication, access confidential data, modify the database, or even gain control of the remote operating system. |
With the "GET HTTP" method, the scanner found that: + The following resources may be vulnerable to blind SQL injection: + The 'clientId' parameter of the /iam-token-handler/public/authorize CGI: -------- output -------- HTTP/1.1 302 -------- vs -------- HTTP/1.1 400 ------------------------ |
Cause
Because /iam-token-handler/public/authorize can respond with 302 and 400 from different requests, the vulnerability scanner assumes it is at risk for an SQL injection vulnerability.
Resolution
Dell Engineering Team has confirmed this is a False Positive.
The token handler does not interact with any of the databases.
Affected Products
PowerProtect Data Manager Appliance, PowerProtect DM5500Article Properties
Article Number: 000236546
Article Type: Solution
Last Modified: 17 Oct 2024
Version: 1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.