webmin: PCI compliancy failures cgi abuse vulnerability and others in session_login.cgi
I’m running into a pci compliancy issue as it’s failing cause of session_login.cgi which affects both webmin and the authentic theme with the same file names.
These are the details from a comodo pci compliancy report.
Security Hole found on port/service “10000 / tcp / www”
Status: Automatic Failure as listed by the PCI SSC (This must be resolved for your device)
Plugin “CGI Generic SQL Injection (blind)” Category: “CGI abuses” Priority: “Urgent”
Synopsis: A CGI application hosted on the remote web server is potentially prone to SQL injection attack.
Description: By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.
Risk factor | HIGH / CVSS BASE SCORE :7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P Pluginoutput : Using the GET HTTP method, Nessus found that :
- The following resources may be vulnerable to blind SQL injection :
- The ‘user’ parameter of the /session_login.cgi CGI : /session_login.cgi?pass=&save=1&user=zz&save=1&user=yy
-------- output --------
<body class="session_login" data-style="">
<div class="container session_login" data-dcontainer="1">
<form method="post" target="_top" action="/session_login.cgi" clas [...]
<i class="wbm-webmin"></i><h2 class="form-signin-heading">
-------- vs --------
<body class="session_login" data-style="">
<div class="container session_login" data-dcontainer="1">
<div class="alert alert-warning">
<strong><i class ="fa fa-exclamation-triangle"></i> Warning!</stro [...]
<span>Login failed. Please try again.</span>
------------------------
Solution: Modify the affected CGI scripts so that they properly escape arguments.
About this issue
- Original URL
- State: open
- Created 6 years ago
- Reactions: 1
- Comments: 59 (19 by maintainers)
Commits related to this issue
- Disallow multiple field to keep PCI scanners happy https://github.com/webmin/webmin/issues/833 — committed to webmin/webmin by jcameron 6 years ago
Jebus. This thing is ridiculous.
We really need to know what they expect to come back in order to stop giving bogus results. Playing whack-a-mole trying to guess what kind of response they want is a waste of everybody’s time.
I just want to say I hate seeing these changes referred to as “fixes”. Nothing was broken but the scanner, and we’re over here spending hours trying to deduce what broken behavior they expect us to show them in order to pass. In order to fix this problem, it’d be the scanner being changed. 😉
Though I do think authentication failures should be returning a 401 (though 403 is also not crazy), so changing that is a positive, anyway. I don’t love the idea of it requiring a configuration change to pass PCI compliance scanning, but it’s also completely bogus that we can’t return an HTTP error when an error has occurred. Breaking HTTP standards to make a dumb scanner happy is maddening.
I’m still not clear from the discussion if 401 worked, or if we need to return 200 with an error message and no login form.
@qooob I’ve completed the scan and the Authentec theme has also passed! @gnadelwartz’s 403 fixes should be implemented into the miniserv config as default as the PCI scanner seems happy.
I think not but I didn’t take a close look, so I don’t know for sure, as never needed this.
fr error codes it’s core webmin or more exact miniserv.pl, so the response should be independently from theme.
handling of login parameter’s is handled by webmin login cgi’s which may be overwritten by theme. nevertheless its fixed for all distributed theme’s
let’s see what’s finally fixed the test passing
Sorry for the late reply. I’m still running one more PCI test.
The results of webmin itself have passed (without authentic theme.)
I’m now testing with the authentic theme to see if it passes as well.
the ‘best’ result was with Jamie’s patches, and blocked logins with 200 response code.
let’s check what happens with @swelljoe idea 401.
@raidensnake try: ‘update-from-repo.sh -force’ and replace in
miniserv.plall ocurrence of 403 with 401. I guess this is the last thing we can try.I’ll make some changes in the next release of Webmin to suppress multiple occurrances of the same field like this (on the login page).
This isn’t a sensible error. There is no SQL involved in anything that touches any of that code…it’s impossible to have an SQL injection in code that doesn’t talk to any SQL servers.
And, the behavior that it is saying is problematic is a login failed error, which is exactly what is supposed to happen when given bogus data.
You should notify your PCI compliance testing folks that this test is bogus.