[hobbit] Hobbit Security Issue?

Gore, David W (David) david.gore at verizonbusiness.com
Fri Mar 23 00:32:51 CET 2007


Thank you Henrik, that is a huge help.

~ David

> -----Original Message-----
> From: Henrik Stoerner [mailto:henrik at hswn.dk] 
> Sent: Thursday, March 22, 2007 21:26
> To: hobbit at hswn.dk
> Subject: Re: [hobbit] Hobbit Security Issue?
> 
> On Thu, Mar 22, 2007 at 05:36:16PM +0000, Gore, David W (David) wrote:
> > Perhaps someone more familiar with security can help me 
> with this?  Or
> > perhaps it's a false positive?  We scan or hosts for security and my
> > score just went up more than three fold.  This was the 
> worst offender:
> > 
> > wpoison (nasl version)
> > Long Desc: The following URLs seem to be vulnerable to BLIND SQL
> > injection techniques :
> 
> Someone else already answered that this is a false positive. Not
> uncommon with generic web vulnerabilities, unfortunately. But let me
> explain how Hobbit handles this request.
> 
> (Bit of background: I've been doing penetration tests for a few years
> back in 2000-2001 when SQL injection techniques started appearing in
> scanners).
> 
> > /hobbit-cgi/bb-hostsvc.sh?-='+AND+'b'>'a&HOST=myhost&SERVICE=info
> 
> This is a URL with three parameters:
> 
> 1) -='+AND+'b'>'a
> 2) HOST=myhost
> 3) SERVICE=info
> 
> When the hobbitsvc.cgi program receives this URL, it breaks 
> it down into
> these three. Then it tries to identify each of them as parameters it
> knows about. The first one doesn't match anything, so it is ignored.
> The other two are recognized, and you get an "OK" response back with 
> the info-page for that host.
> 
> I wrote the code so I am obviously biased, but I would argue that this
> is how one *should* handle CGI parameters: Just ignore the ones you
> don't know, and validate the ones you will be using.
> 
> BTW, the sourcecode for the Nessus plugin your security 
> people used to 
> find this is available at
>   http://www.nessus.org/plugins/index.php?view=viewsrc&id=11139
> It rather blindly assumes that the CGI's being fed this test do in
> fact pass them to some SQL parser. I'll bet that it gets a lot of
> false positives. I haven't tested it, but from my reading of the code
> even a simple "Hello, world!" CGI would trigger this.
> 
> 
> Regards,
> Henrik
> 
> 
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
> 
> 
> 



More information about the Xymon mailing list