SQL Injection Vulnerability in Rasa X

I recently received the Vulnerabilities Report of my Rasa-X chatbot.

Has someone faced this before? Or know how to fix this issue? The solution says “Modify the affected CGI scripts so that they properly escape arguments”, but where exactly to modify?

Vulnerabilities

CGI Generic SQL Injection (blind)

Synopsis

A CGI application hosted on the remote web server is potentially prone to SQL injection attack.

Description

By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database.

An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

Note that this script is experimental and may be prone to false positives.

See Also

http://www.securiteam.com/securityreviews/5DP0N1P76E.html http://www.nessus.org/u?ed792cf5 http://projects.webappsec.org/w/page/13246963/SQL%20Injection

Solution

Modify the affected CGI scripts so that they properly escape arguments.

Risk Factor

High

CVSS v2.0 Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

XREF CWE:20
XREF CWE:77
XREF CWE:801
XREF CWE:810
XREF CWE:89
XREF CWE:91
XREF CWE:203
XREF CWE:643
XREF CWE:713
XREF CWE:722
XREF CWE:727
XREF CWE:751
XREF CWE:928
XREF CWE:929

Plugin Information

Published: 2009/11/06, Modified: 2021/01/19

Plugin Output

tcp/8080/www

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'file' parameter of the / CGI :

/?auth[username]=&auth[db]=&auth[driver]=server&auth[password]=&auth[per
manent]=1&auth[server]=db&version=4.8.0&token=409667%3a224416&lang=&file
=default.csszz&auth[db]=&auth[driver]=server&auth[password]=&auth[perman
ent]=1&auth[server]=db&version=4.8.0&token=409667%3a224416&lang=&file=de
fault.cssyy

-------- output --------

body{color:#000;background:#fff;font:90%/1.25 Verdana,Arial,Helvetica,sa
ns-serif;margin:0;width:-moz-fit-content;width:fit-content;}a{color:blue
;text-decoration:none;}a:visited{color:navy;}a:link:hover,a:visited:hove
r{color:red;text-decoration:underline;}a.text:hover{text-decoratio [...]

-------- vs --------
------------------------

/?auth[username]=&auth[db]=&auth[driver]=server&auth[password]=&auth[per
manent]=1&auth[server]=db&version=4.8.0&token=409667%3a224416&lang=&file
=default.csszz&auth[db]=&auth[driver]=server&auth[password]=&auth[perman
ent]=1&auth[server]=db&version=4.8.0&token=409667%3a224416&lang=&file=de
fault.cssyy {2}

-------- output --------

body{color:#000;background:#fff;font:90%/1.25 Verdana,Arial,Helvetica,sa
ns-serif;margin:0;width:-moz-fit-content;width:fit-content;}a{color:blue
;text-decoration:none;}a:visited{color:navy;}a:link:hover,a:visited:hove
r{color:red;text-decoration:underline;}a.text:hover{text-decoratio [...]

-------- vs --------
------------------------
1 Like

Just to point here, probably will help someone else.

The vulnerability was not observed in any of the RASA service. I realized that the port was 8080, and I had configured a different service on that port.

So just to clear, if you find such thing, probably its something else.