Real-Life Vulnerabilities Reported by Invicti

The Invicti Web Application Advisory program provides vulnerability disclosures for open-source software. Let’s see how the program works and analyze two recent advisories to learn more about finding and fixing common security flaws.

Real-Life Vulnerabilities Reported by Invicti

The Invicti Web Application Advisory program provides vulnerability disclosures for open-source software. Let’s see how the program works and analyze two recent advisories to learn more about finding and fixing common security flaws.

Netsparker vulnerability advisories

Invicti Web Application Advisories

In the process of developing and testing the vulnerability scanning engine that powers Invicti’s cutting-edge web application security solutions, our security researchers scan a variety of open-source products. To do this, they take the latest version of an open-source web application and deploy it to a local test environment. The application is then scanned using Invicti as part of testing and improving our products.

If vulnerabilities are found, they are reported back to the original developers so they can fix them. After we get confirmation that the security issue has been fixed, we publish an advisory to inform users who might still be using a vulnerable version. That way, we can give back to the open-source community and improve overall security on the web.

Recent Invicti Disclosures

In our most recent advisories, Invicti security researcher Omar Kurt found two high-risk vulnerabilities in version 2.2.1 of Geeklog – a popular open-source content management system:

Both vulnerabilities were reported to Geeklog on March 11th, 2020, fixed on April 20th with the release of Geeklog v2.2.1sr1, and disclosed by Invicti on April 27th.

As you can see from the names, the vulnerabilities were related to cross-site scripting (XSS) and SQL injection – two of the most common web application vulnerabilities. Even though they are widely known and well understood, these types of programming errors still make it into production code, as shown by their continued presence in the OWASP list of Top 10 Web Application Security Risks. Let’s dive deeper into the reported vulnerabilities to see why they were possible and how they could be exploited.

A Real-Life XSS Vulnerability

Looking at the advisory for NS-20-001, we can see that Invicti found a cross-site scripting vector in two GET-type URL parameters for the page plugins.php. This means that an attacker can enter JavaScript code as the parameter value and the code will be executed by the browser. The exact test attack URLs used by Invicti were:

/geeklog-2.2.1/public_html/admin/plugins.php?direction=x"%20onmouseover=netsparker(0x01AAEC)%20x="&order=1&prevorder=pi_load
/geeklog-2.2.1/public_html/admin/plugins.php?direction=ASC&order=1&prevorder=x"%20onmouseover=netsparker(0x019E05)%20x="

Emulating a real attacker, Invicti replaced valid and expected values for parameters direction and prevorder with a snippet of JavaScript (shown in red). The inserted code just adds an onmouseover() event listener that calls a test function to check if the attack was successful. Of course, a malicious hacker could use far more dangerous code.

So can we dig a little deeper and find the cause? Notice that the vulnerability report only shows the attack URL, not the vulnerable code itself. This is because Invicti is a DAST (Dynamic Application Security Testing) tool, so it scans a running application and attempts to find vulnerabilities like a real attacker would. Armed with information about the attack point, the developer can find and fix the relevant flaw in the source code. Because Geeklog is an open-source application, we can do just that and see why the XSS attack was possible.

After downloading the source code package for Geeklog 2.2.1 or going to the GitHub repository, it’s just a matter of bringing up the file /public_html/admin/plugins.php and finding code that handles the direction and prevorder parameters. Sure enough, here is the vulnerable PHP code:

$ord = trim($_GET['order']);
$dir = trim($_GET['direction']);
$old = trim($_GET['prevorder']);
$sorting = "?order=$ord&direction=$dir&prevorder=$old";

As you see, the order, direction and prevorder parameters are taken directly from the GET request with no validation, put into three variables, and inserted into a string. Manual string concatenation using unvalidated user inputs is a typical cause of XSS vulnerabilities, and this is a prime example.

A Real-Life Blind SQL Injection Vulnerability

Looking at advisory NS-20-002, we can see that Invicti found a blind SQL Injection vulnerability for the POST-type parameter uid in a comment form on the page comment.php. This means than an attacker can insert SQL query code into the value of the uid parameter posted by the browser to the server along with other form data. The injection string used by Invicti was:

2+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f

Removing URL encoding and commented code, the SQL query used for the test attack is:

SELECT 1 FROM (SELECT SLEEP(25))A

In general, an SQL injection vulnerability means that user inputs to a web application are not validated correctly, allowing the attacker to inject database queries to extract information or modify the database. If the vulnerable application does not return any data, blind SQL injection can be used to indirectly read smaller pieces of information from the database.

In this case, the test attack code successfully injected a query containing the SLEEP(25) command, causing the application to wait for 25 seconds before responding. This delay informs the attacker that the injected query returned a true result, while no delay in the application response would mean false. This allows the attacker to extract information from the database using a series of yes/no questions.

The Security of Open-Source Software

From hobby projects to enterprise deployments, the web relies on open-source software. The Invicti Web Advisory program is our way of giving back to the open-source community and improving the security of software used by billions of people worldwide.

For organizations, the business benefits of using open-source code are obvious – it’s free and someone else has done the work. Security is not always considered, even though it should be a priority. Especially with popular libraries and applications used in millions of deployments, any vulnerabilities in the code can be exploited by cybercriminals in a matter of hours and on a massive scale. This is why it’s vital to check your websites and web applications with a high-quality web vulnerability scanner like Invicti.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.