[Done v1.3.9e] format string attack.
Any ideas? Is this a false positive on a pci scan:
The remote web server hosts CGI scripts that fail to adequately sanitize request strings. They seem to be vulnerable to a 'format string' attack. By leveraging this issue, an attacker may be able to execute arbitrary code on the remote host subject to the privileges under which the web server operates.
Please inspect the results as this script is prone to false positives.
Solution:
Restrict access to the vulnerable application / scripts. And contact the vendor for a patch or upgrade.
CVSS Information:
Low Attack Complexity, Partial Confidentiality Impact, Partial Integrity Impact, Partial Availability Impact
Additional References:
http://en.wikipedia.org/wiki/Format_string_attack
Information from Target:
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to format string :
/shop/pages/wholesale-clubs-group-buys-1.html?zenid=%08x
Re: format string attack.
What version Zen Cart? Have a url for us?
~Melanie
Re: format string attack.
Quote:
Originally Posted by
mprough
What version Zen Cart? Have a url for us?
~Melanie
1.3.8 with all security patches. I rather not post a url if it really is an issue. If one of the devs wants the url I can pm it.
Re: format string attack.
You have a URL rewriting mod active, and this might be vulnerable to some attack...
Re: format string attack.
Quote:
Originally Posted by
tbaquatics
Any ideas? Is this a false positive on a pci scan:
The remote web server hosts CGI scripts that fail to adequately sanitize request strings. They seem to be vulnerable to a 'format string' attack. By leveraging this issue, an attacker may be able to execute arbitrary code on the remote host subject to the privileges under which the web server operates.
Please inspect the results as this script is prone to false positives.
Solution:
Restrict access to the vulnerable application / scripts. And contact the vendor for a patch or upgrade.
CVSS Information:
Low Attack Complexity, Partial Confidentiality Impact, Partial Integrity Impact, Partial Availability Impact
Additional References:
http://en.wikipedia.org/wiki/Format_string_attack
Information from Target:
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to format string :
/shop/pages/wholesale-clubs-group-buys-1.html?zenid=%08x
At its basic level, v1.3.9 already protects against that problem, since it automatically re-sets the cookie value once it discovers the invalid value.
It can be reported as a false-positive (ControlScan have already accepted it as such).
A small patch to mitigate against seeing the false-positive will be included in v1.3.9e.
Re: format string attack.
What about in 1.3.8? Any patch?
Re: format string attack.
Threat-wise it's insignificant. There are no plans to backport it at present. Best to plan an upgrade to benefit from all the other important security benefits in 1.3.9 though.
Re: format string attack.
Quote:
Originally Posted by
DrByte
Threat-wise it's insignificant. There are no plans to backport it at present. Best to plan an upgrade to benefit from all the other important security benefits in 1.3.9 though.
Control scan is asking for the following info to mark it as a false positive:
Is there any type of url/content filtering?
What pattern matching is done to prevent this vulnerability.