the attached file contains partial code from /web/projop/packages/acs-subsite/www/register/index.adp
which is having security issues like cross-site scripting and blind sql injection.
I tried to remove this code in order to avoid these issues but after doing so application gets stuck on register page and doesn't redirect to the home page.
please let me know if there is any work-around.
Regards!!!
Vijay
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I just unsuccessfully tried to reproduce the issue.
This page is "the door", the most important page in the whole of OpenACS and unchanged since several years. So I have certain doubts that such a mistake would have gone unnoticed by all the qualified eyeballs of the OpenACS community.
Also, we just had a heavy (one week!) testing from a Washington company which normally operates in the military realm. I've written about this already here in the forum, these guys did find one SQL injection vulnerability, but only for the Administrator (who has full SQL access anyway).
=> Could you please send me (preferably in a private email) the URL of the SQL injection and XSS attacks and instructions on how to reproduce the issue?
The return_url reflection is already known but considered "not critical" because ]po[ is not a very common application. It is fixed in the latest version of AOLserver. However, we can't include this version in V4.1 for compatibility reasons, so we'll wait with this non-critical issue until V5.0. V5.0 will require this new version of AOLserver and also PostgreSQL 9.2.
Cheers!
Frank
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you very much for the reply.
Unfortunately I don't have your email id :(
please provide me the same so that I can send you the scan report in order to explain the issues in detail.
Regards,
Vijay
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Please send the scan reports to info@project-open.com.
Could you please check if the same issues are present in ]po[ V5.0.beta1, which is available for download here on SourceForge? V5.0 is based on OpenACS 5.9, which includes a lot of security improvements, particularly in order to avoid reflections and XSS.
Cheers,
Frank
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just to correct and put things in context: The "Bypass Using SQL Injection" scan result is NOT correct. We haven't seen any SQL injection issue yet. The XSS issue are valid, though. However, we consider this a "low" priority issue, because ]po[ is not used very widely and not a frequent target for XSS attacks.
Cheers,
Frank
Last edit: Frank Bergmann 2016-08-19
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
the attached file contains partial code from /web/projop/packages/acs-subsite/www/register/index.adp
which is having security issues like cross-site scripting and blind sql injection.
I tried to remove this code in order to avoid these issues but after doing so application gets stuck on register page and doesn't redirect to the home page.
please let me know if there is any work-around.
Regards!!!
Vijay
the elements having security issues are
1.
password-> Authentication Bypass Using SQL Injection2.
__confirmed_p-> Cross-Site Scripting3.
token_id-> Cross-Site Scripting4.
username-> Authentication Bypass Using SQL Injection5.
__refreshing_p-> Cross-Site Scripting6.
return_url-> Blind SQL Injectionand one more issue on /register page i.e. Session Identifier Not Updated
Last edit: vijay 2014-06-12
Hi Vijay,
I just unsuccessfully tried to reproduce the issue.
This page is "the door", the most important page in the whole of OpenACS and unchanged since several years. So I have certain doubts that such a mistake would have gone unnoticed by all the qualified eyeballs of the OpenACS community.
Also, we just had a heavy (one week!) testing from a Washington company which normally operates in the military realm. I've written about this already here in the forum, these guys did find one SQL injection vulnerability, but only for the Administrator (who has full SQL access anyway).
=> Could you please send me (preferably in a private email) the URL of the SQL injection and XSS attacks and instructions on how to reproduce the issue?
The return_url reflection is already known but considered "not critical" because ]po[ is not a very common application. It is fixed in the latest version of AOLserver. However, we can't include this version in V4.1 for compatibility reasons, so we'll wait with this non-critical issue until V5.0. V5.0 will require this new version of AOLserver and also PostgreSQL 9.2.
Cheers!
Frank
Hi Frank,
Thank you very much for the reply.
Unfortunately I don't have your email id :(
please provide me the same so that I can send you the scan report in order to explain the issues in detail.
Regards,
Vijay
Hi Vijay,
Please send the scan reports to info@project-open.com.
Could you please check if the same issues are present in ]po[ V5.0.beta1, which is available for download here on SourceForge? V5.0 is based on OpenACS 5.9, which includes a lot of security improvements, particularly in order to avoid reflections and XSS.
Cheers,
Frank
For the status of the issue please see the OpenACS forum:
http://openacs.org/forums/message-view?message_id=5332821
Just to correct and put things in context: The "Bypass Using SQL Injection" scan result is NOT correct. We haven't seen any SQL injection issue yet. The XSS issue are valid, though. However, we consider this a "low" priority issue, because ]po[ is not used very widely and not a frequent target for XSS attacks.
Cheers,
Frank
Last edit: Frank Bergmann 2016-08-19