search

mrlt8 / docker-wyze-bridge

WebRTC/RTSP/RTMP/LL-HLS bridge for Wyze cams in a docker container
GNU Affero General Public License v3.0
2.47k stars 151 forks source link

OpenVAS Security Scan - Medium issue & False Detections #1022

Open juched78 opened 8 months ago

juched78 commented 8 months ago

Having run OpenVAS security scanner on my network recently, there have been multiple findings reported against port 5000 for wyze bridge.

This first finding seems valid:

Summary

The remote HTTP web server / application is missing to set the 'HttpOnly' cookie attribute for one or more sent HTTP cookie.

Detection Result

The cookies:

Set-Cookie: number_of_columns=***replaced***; Path=/
Set-Cookie: refresh_period=***replaced***; Path=/
Set-Cookie: show_video=; Path=/
Set-Cookie: video=***replaced***; Path=/
Set-Cookie: fullscreen=; Path=/

are missing the "HttpOnly" attribute.

Insight

The flaw exists if a session cookie is not using the 'HttpOnly' cookie attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

Detection Method

Checks all cookies sent by the remote HTTP web server / application for a missing 'HttpOnly' cookie attribute.
Details: | Missing 'HttpOnly' Cookie Attribute (HTTP) OID: 1.3.6.1.4.1.25623.1.0.105925 -- | -- Version used: | 2023-01-11T10:12:37Z

Affected Software/OS

Any web application with session handling in cookies.

Solution

Solution Type:
Mitigation
Summary The remote HTTP web server / application is missing to set the 'HttpOnly' cookie attribute for one or more sent HTTP cookie. Detection Result The cookies: Set-Cookie: number_of_columns=***replaced***; Path=/ Set-Cookie: refresh_period=***replaced***; Path=/ Set-Cookie: show_video=; Path=/ Set-Cookie: video=***replaced***; Path=/ Set-Cookie: fullscreen=; Path=/ are missing the "HttpOnly" attribute. Insight The flaw exists if a session cookie is not using the 'HttpOnly' cookie attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks. Detection Method Checks all cookies sent by the remote HTTP web server / application for a missing 'HttpOnly' cookie attribute. Details: [Missing 'HttpOnly' Cookie Attribute (HTTP) OID: 1.3.6.1.4.1.25623.1.0.105925](http://192.168.2.17:9392/nvt/1.3.6.1.4.1.25623.1.0.105925) Version used: 2023-01-11T10:12:37Z Affected Software/OS Any web application with session handling in cookies. Solution Solution Type: Mitigation ### **Other False Positive Findings** _The other findings seem to be related to the fact that the /api endpoint responds to the detections used, making it think there is a solution in place. One simple way to avoid these detections (if desired) would be to filter out (return 404) any URL containing ".php", or restricting to only 2 levels deep (or as needed). These are not legit findings, but do generate noise for people running security tools, so smaller impact._ ------ The remote web server is running phpWebLog, a news and content management system written in PHP that is prone to several flaws, including possibly arbitrary code execution. Detection Result Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/search.php?query=we+%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&topic=0&limit=30 ------ CompactCMS is prone to multiple cross-site scripting (XSS) vulnerabilities because it fails to sufficiently sanitize user-supplied input. Detection Result Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/afdrukken.php?page=%22%3E%3Cscript%3Ealert(%27openvasvt%27)%3C/script%3E ------ Community Server is prone to a cross-site scripting (XSS) vulnerability because it fails to sufficiently sanitize user-supplied data. Detection Result Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/utility/TagSelector.aspx?TagEditor=%27)%3C/script%3E%3Cscript%3Ealert(%27openvasvt%27)%3C/script%3E ------ Softbiz Classifieds Script is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Detection Result Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/showcategory.php?cid=9type=1&keyword=Pouya&radio=%3E%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E The remote web server contains a PHP script which is vulnerable to a cross site scripting and SQL injection issue. ------ Description : Basit cms 1.0 has a cross site scripting bug. An attacker may use it to perform a cross site scripting attack on this host. In addition to this, it is vulnerable to a SQL insertion attack which may allow an attacker to get the control of your database. Detection Result Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/modules/Submit/index.php?op=pre&title= The remote web server contains several PHP scripts that are prone to cross-site scripting attacks. ------ Description : The remote host runs Zeroboard, a web BBS application popular in Korea. The remote version of this software is vulnerable to cross-site scripting attacks due to a lack of sanitization of user-supplied data. Successful exploitation of this issue may allow an attacker to execute malicious script code in a user's browser within the context of the affected web site. Detection Result Vulnerable URL: http://:5000/api/ldap/config/ldapTreeNodeChildren/zboard.php?id=gallery&sn1=ALBANIAN%20RULEZ='%3E%3Cscript%3Efoo%3C/script%3E ------ There are half a dozen other findings like this.