Welcome, Guest
Username: Password: Remember me

TOPIC: Failed Security Scan - :dry: - Version 2.00+ Build 131022

Failed Security Scan - :dry: - Version 2.00+ Build 131022 8 months 1 week ago #102466

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6252
  • Thank you received: 799
  • Karma: 239
Hi,

Think you must make a DB backup and a file backup before upgrading to the last 2.05 version, because you can not downgrade.
Another possibility is to give a try with:
- Update included jquery from 2.00 to blog.jquery.com/2011/09/12/jquery-1-6-4-released/ because it seems 1.6.4 don't have this issue
And test a lot all your survey.

I try in a own fork for 2014, don't have time actually.

Denis
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 8 months 1 week ago #102472

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
Thanks Denis,

Actually, all my IS are still on 1.92 - as we were not able to migrate since.
We should probably move to 2.05 directly then? Do you kow if jquery has been updated on 2.05?

Merci!

Samuel
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 1 week ago #103157

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
Hi All,

For information I have asked my IT colleagues to update again to the latest and re-run the security scan as advised (they are slowly getting mad at me though... :dry: ).

The initial problem mentioned in this thread seems to have been fixed since, however, I still have an issue to resolve around Cross site scripting


Reported by module Scripting (XSS.script)

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

Recommendation
Your script should filter metacharacters from user input.

My colleagues said this may even be a "False Positive" but that I needed to have this ascertained before they get the green light to install. They are tight on security issues as we have had problems in the past :(

Anyway, if anybody here can help we'd be very greatful! In parallel I am exploring the possibility of recruiting a developer to look at this as time is really running off...

Merci!
Last Edit: 7 months 1 week ago by mas_carpone.
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 1 week ago #103159

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6252
  • Thank you received: 799
  • Karma: 239
Hi,

They update to latest 2.05 version ?
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 1 week ago #103208

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
Yes Denis, the latest build of 2.05 (released on 19 december)
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 1 week ago #103220

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6252
  • Thank you received: 799
  • Karma: 239
mas_carpone wrote:
Yes Denis, the latest build of 2.05 (released on 19 december)
OK, great.

If it's public survey : i think it's a false positive : we accept pseudo XSS .

Did the " Reported by module Scripting (XSS.script)" show more information ?

What tools is used here ?
(I have to install such tools ... i have onli one ;) ).

You can report a 'security' bug if you have more information.

Denis
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 1 week ago #103222

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
This is FANTASTIC NEWS!

I have asked for the full "developer" report which I will share with you.
Soooo happy if that were the case!

Will let you know asap!
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 1 week ago #103265

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
So, back to you on this. The software used is Acunetix Website Audit.
There is more detailed information on 2 affected items, which I have copied here. I am of course happy to share the full report if there is a way to do so.

Affected items

Details
/index.php/admin/authentication/sa/forgotpassword
Cookie input YII_CSRF_TOKEN was set to iesv1lo99j7e1lf64bpevooig4_923200'():;932205
The input is reflected inside <script> tag between single quotes.

Requested headers
GET /index.php/admin/authentication/sa/forgotpassword HTTP/1.1
Cookie: PHPSESSID=iesv1lo99j7e1lf64bpevooig4;
YII_CSRF_TOKEN=iesv1lo99j7e1lf64bpevooig4_923200'():%3B932205
Referer: iim.who.int:80/
Host: iim.who.int
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: www.acunetix.com/wvs/disc.htm
Accept: */*


Details
/index.php/admin/authentication/sa/login
Cookie input YII_CSRF_TOKEN was set to iesv1lo99j7e1lf64bpevooig4_978679'():;998756
The input is reflected inside <script> tag between single quotes.


Requested header
GET /index.php/admin/authentication/sa/login HTTP/1.1
Cookie: PHPSESSID=iesv1lo99j7e1lf64bpevooig4;
YII_CSRF_TOKEN=iesv1lo99j7e1lf64bpevooig4_978679'():%3B998756
Referer: iim.who.int:80/
Host: iim.who.int
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: www.acunetix.com/wvs/disc.htm
Accept: */*
The administrator has disabled public write access.
The following user(s) said Thank You: DenisChenu

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 1 week ago #103268

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6252
  • Thank you received: 799
  • Karma: 239
crsfToken don't taken from $_cookies directly, Yii seem to filter it.

But bug fixed.
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 7 months 1 week ago #103271

  • mas_carpone
  • mas_carpone's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 92
  • Thank you received: 4
  • Karma: 0
Denis, first of all, thanks a million for following up.

Can you let me know if you have been able to rescan the fixed version with Acunetix? And if so, how could I get that fixed here? Do I need to wait for the next release?

In any way, thanks again so much for your support!
The administrator has disabled public write access.
Moderators: ITEd
Time to create page: 0.132 seconds
Donation Image