Welcome, Guest
Username: Password: Remember me

TOPIC: Failed Security Scan - :dry: - Version 2.00+ Build 131022

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 2 weeks ago #102310

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
Good morning!

As we are moving (FINALLY!!! :) ) to 2.00+, we ran into an issue this morning.
The version we have installed did not pass the security scan :(

Two issues of "high severity" were detected and need to be solved before we are allowed to implement 2.00+ (cry) :

1. Slow HTTP Denial of Service Attack - Affects Web Server - On this point however, IT colleagues have indicated they can implement mitigation measures

2. jQuery Cross Site Scripting - Affects /scripts/jquery/jquery.js - on that second point I am seeking your help. Below the full report:

Description
This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability. Many sites are using to select elements using location.hash that allows someone to inject script into the page. This problem was fixed in jQuery 1.6.3.
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

Recommendation
Update to the latest version of jQuery.

We are talking here of Version 2.00+ Build 131022 - has this been updated since?
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 2 weeks ago #102328

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
Sorry rushing around all day and I dodn't conclude on that.

I guess I wanted to know first if this is still the case with the latest release and if so, what would be the implications of such a modification (if this is envisaged, when or if not, what you would suggest)?

If anyone could inform that would be great, thanks!
Last Edit: 7 months 2 weeks ago by mas_carpone.
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 2 weeks ago #102329

  • holch
  • holch's Avatar
  • OFFLINE
  • LimeSurvey Team
  • Posts: 2549
  • Thank you received: 285
  • Karma: 102
I have no idea. But how about updating to the latest version and running another scan?

But I don't think that the Jquery version is changed so frequently.
Have a look at the manual! It is a really valuable source for information. Here some helpful links:
Manual (EN) | Question Types | Question Attributes | Workarounds

If you found this answer helpful and it saved you some time please consider a donation to the project to keep Limesurvey going!
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 2 weeks ago #102330

  • holch
  • holch's Avatar
  • OFFLINE
  • LimeSurvey Team
  • Posts: 2549
  • Thank you received: 285
  • Karma: 102
By the way, if you are running an older version of Limesurvey at the moment, it is probably better to upgrade anyway, because I guess it will not have less security issues...
Have a look at the manual! It is a really valuable source for information. Here some helpful links:
Manual (EN) | Question Types | Question Attributes | Workarounds

If you found this answer helpful and it saved you some time please consider a donation to the project to keep Limesurvey going!
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 2 weeks ago #102351

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
Thanks for your answer Holch!

I have already asked IT to run the check on build131206 - hopefully early next week we'll get there. I was thinking others may have come across the same issue, which is why I asked for information in the meantime.

Will keep you posted!
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 2 weeks ago #102375

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6205
  • Thank you received: 787
  • Karma: 238
mas_carpone wrote:
Two issues of "high severity" were detected and need to be solved before we are allowed to implement 2.00+ (cry) :

1. Slow HTTP Denial of Service Attack - Affects Web Server - On this point however, IT colleagues have indicated they can implement mitigation measures

2. jQuery Cross Site Scripting - Affects /scripts/jquery/jquery.js - on that second point I am seeking your help. Below the full report:
Hi,

2.00+ don't have jquery update than 2.00 : can you give us a link of the jquery XSS alert to see if we can do a little patch ? And put this in bug report system ?

If you have more information on 1 : same think.

Denis
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 2 weeks ago #102383

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
Hi Denis, thanks!

Here's what I have on the issue related to jQuery :

jQuery Cross Site Scripting
Reported by module Scripting (jQuery_Audit.script)

This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability. Many sites are using to select elements using location.hash that allows someone to inject script into the page. This problem was fixed in jQuery 1.6.3.
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

Recommendation
Update to the latest version of jQuery.

Details
/scripts/jquery/jquery.js
Pattern found: /*!
* jQuery JavaScript Library v1.5.2
* jquery.com
GET /scripts/jquery/jquery.js HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: iim.who.int/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: PHPSESSID=tkjd43vhcsg1ngcscu194d8763
Host: iim.who.int
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: www.acunetix.com/wvs/disc.htm
Accept: */*
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 2 weeks ago #102384

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
And below, what I have on the Slow HTTP Denial of Service Attack - thanks so much for your continued support! (Note that my IT colleagues have said they should be able to fix this from their end - still guess it may be of interest to you)

Slow HTTP Denial of Service Attack
Reported by module Slow_HTTP_DOS

Description
Your web server is vulnerable to Slow HTTP DoS (Denial of Service) attacks.
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy,this creates a denial of service.
A single machine can take down another machine's web server with minimal bandwidth and side effects on unrelatedservices and ports.

Recommendation
Consult Web references for information about protecting your web server against this type of attack.

References
Slowloris HTTP DoS
Slowloris DOS Mitigation Guide
Protect Apache Against Slowloris Attack
Affected items
Details
Web Server
Time difference between connections: 10125 ms
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 2 weeks ago #102388

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
I have now added that information to the bug reporting system as suggested.
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 1 week ago #102443

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
Dear colleagues,

I had added that issue to the bug tracking, but it seems it has been removed. Probably this was not to be considered a bug actually.

Here I am: I have realised 2.05 had been issued as a stable version. I have asked my IT colleagues to upgrade and "security scan" this new version to see if with some luck we would go through this time. The return is that I need to choose: if we upgrade to 2.05, there will be no downgrading afterwards...

Do you suggest I ask for that upgrade and we take it from there based on the results of the scan?

Thanks a lot!
The administrator has disabled public write access.
Moderators: ITEd
Time to create page: 0.145 seconds
Donation Image