nilsonLazarin / WeGIA

WeGIA: Web gerenciador para instituições assistenciais
Other
5 stars 6 forks source link

Análise de vulnerabilidade do arquivo html/listar_saida.php #119

Closed joaopontes22 closed 1 month ago

joaopontes22 commented 6 months ago

Vulnerability Analysis

  1. Vulnerabilidade de Injeção SQL:

    • A vulnerabilidade de injeção SQL está presente nas linhas onde são montadas as consultas SQL sem validar ou escapar os dados de entrada do usuário. Por exemplo:
      $id_pessoa = $_SESSION['id_pessoa'];
      $resultado = mysqli_query($conexao, "SELECT * FROM funcionario WHERE id_pessoa=$id_pessoa");

      Nesse trecho, o valor de $id_pessoa é diretamente incorporado na consulta SQL sem nenhuma validação, abrindo a possibilidade de um ataque de injeção SQL.

  2. Vulnerabilidade de Redirecionamento Não Confiável:

    • Há um possível risco de redirecionamento não confiável nas seguintes linhas:
      header("Location: ../index.php");

      O código só faz a verificação básica do usuário logado e, em seguida, redireciona para a página inicial [../index.php]. Dependendo da implementação do sistema, um atacante pode explorar essa vulnerabilidade para redirecionar usuários para páginas maliciosas.

  3. Validação de Resultado nula inadequada:

    • A validação !is_null($resultado) no código não é uma maneira segura de verificar se uma consulta SQL retorna resultados adequados. Pode ser útil verificar o número de linhas retornadas ou se a consulta falhou de forma adequada.
  4. Redundância de código:

    • Existe uma redundância de código nas linhas onde a mensagem de permissão negada é definida e o usuário é redirecionado. Essa lógica se repete várias vezes, o que sugere que uma função genérica para lidar com essa situação pode ser mais eficiente.
  5. Vulnerabilidade de códigos desatualizados:

    • Alguns recursos e bibliotecas utilizados no código parecem estar utilizando versões antigas, como o JQuery DataTables. É sempre recomendado manter as bibliotecas e frameworks atualizados para evitar possíveis vulnerabilidades conhecidas.
  6. Possível inclusão de arquivo inseguro:

    • A linha que inclui o arquivo personalizacao_display.php é vulnerável a inclusões arbitrárias de arquivos, dependendo do conteúdo do arquivo config.php. Certifique-se de que config.php e outros arquivos incluídos sejam seguros e não possam ser manipulados pelo usuário.
  7. Ausência de medidas de segurança aprofundadas:

    • O código não apresenta medidas de segurança aprofundadas, como filtragem estrita de entrada de dados, validação de formulários, verificação de sessões para cada requisição, entre outras práticas recomendadas para a segurança de aplicações web.

Recomenda-se revisar o código, implementar medidas de segurança adequadas, como preparação de consultas SQL, validação de entrada de dados e controle de sessão, e manter as bibliotecas atualizadas para garantir a segurança da aplicação web.

joaopontes22 commented 3 months ago

[Thu Jul 18 15:06:19.596554 2024] [security2:error] [pid 526:tid 526] [client 177.107.231.54:62020] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\/])\\.\\.(?:[\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "Zpkva2AHHnn2rkFsyZoxUAAAAAM"] [Thu Jul 18 15:06:19.596696 2024] [security2:error] [pid 526:tid 526] [client 177.107.231.54:62020] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\/])\\.\\.(?:[\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "Zpkva2AHHnn2rkFsyZoxUAAAAAM"] [Thu Jul 18 15:06:19.599968 2024] [security2:error] [pid 526:tid 526] [client 177.107.231.54:62020] [client 177.107.231.54] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "Zpkva2AHHnn2rkFsyZoxUAAAAAM"] [Thu Jul 18 15:06:19.600288 2024] [security2:error] [pid 526:tid 526] [client 177.107.231.54:62020] [client 177.107.231.54] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=10,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "Zpkva2AHHnn2rkFsyZoxUAAAAAM"]

joaopontes22 commented 3 months ago

--6e005669-A-- [18/Jul/2024:15:06:52.109969 +0000] ZpkvjFHsY5o8URkhNoVsmgAAAAo 177.107.231.54 62060 10.0.0.80 443 --6e005669-B-- GET /WeGIA/controle/control.php?metodo=listarTodos&nomeClasse=SaidaControle&nextPage=../html/listar_saida.php HTTP/1.1 Host: comfirewall.wegia.org:8000 Connection: keep-alive Cache-Control: max-age=0 sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: _ga=GA1.1.226787592.1712170424; PHPSESSID=l3qtr41r306gqi2kksvkbcj7bj; _ga_F8DXBXLV8J=GS1.1.1721314557.29.1.1721315142.60.0.0 ‌ --6e005669-F-- HTTP/1.1 403 Forbidden Content-Length: 288 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 ‌ --6e005669-E-- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

403 Forbidden

Forbidden

You don't have permission to access this resource.


Apache/2.4.61 (Debian) Server at comfirewall.wegia.org Port 8000

‌ --6e005669-H-- Message: Warning. Pattern match "(?:^|[\/])\.\.(?:[\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] Message: Warning. Pattern match "(?:^|[\/])\.\.(?:[\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=10,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvjFHsY5o8URkhNoVsmgAAAAo"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvjFHsY5o8URkhNoVsmgAAAAo"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvjFHsY5o8URkhNoVsmgAAAAo"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=10,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvjFHsY5o8URkhNoVsmgAAAAo"] Action: Intercepted (phase 2) Apache-Handler: application/x-httpd-php Stopwatch: 1721315212103227 7592 (- - -) Stopwatch2: 1721315212103227 7592; combined=6017, p1=859, p2=4842, p3=0, p4=0, p5=316, sr=166, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); OWASP_CRS/3.3.4. Server: Apache/2.4.61 (Debian) Engine-Mode: "ENABLED" ‌ --6e005669-Z-- ‌

joaopontes22 commented 3 months ago

--6e005669-A-- [18/Jul/2024:15:06:52.109969 +0000] ZpkvjFHsY5o8URkhNoVsmgAAAAo 177.107.231.54 62060 10.0.0.80 443 --6e005669-B-- GET /WeGIA/controle/control.php?metodo=listarTodos&nomeClasse=SaidaControle&nextPage=../html/listar_saida.php HTTP/1.1 Host: comfirewall.wegia.org:8000 Connection: keep-alive Cache-Control: max-age=0 sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: _ga=GA1.1.226787592.1712170424; PHPSESSID=l3qtr41r306gqi2kksvkbcj7bj; _ga_F8DXBXLV8J=GS1.1.1721314557.29.1.1721315142.60.0.0 ‌ --6e005669-F-- HTTP/1.1 403 Forbidden Content-Length: 288 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 ‌ --6e005669-E-- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

403 Forbidden

Forbidden

You don't have permission to access this resource.


Apache/2.4.61 (Debian) Server at comfirewall.wegia.org Port 8000

‌ --6e005669-H-- Message: Warning. Pattern match "(?:^|[\/])\.\.(?:[\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] Message: Warning. Pattern match "(?:^|[\/])\.\.(?:[\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=10,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvjFHsY5o8URkhNoVsmgAAAAo"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/listar_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvjFHsY5o8URkhNoVsmgAAAAo"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvjFHsY5o8URkhNoVsmgAAAAo"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=10,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvjFHsY5o8URkhNoVsmgAAAAo"] Action: Intercepted (phase 2) Apache-Handler: application/x-httpd-php Stopwatch: 1721315212103227 7592 (- - -) Stopwatch2: 1721315212103227 7592; combined=6017, p1=859, p2=4842, p3=0, p4=0, p5=316, sr=166, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); OWASP_CRS/3.3.4. Server: Apache/2.4.61 (Debian) Engine-Mode: "ENABLED" ‌ --6e005669-Z-- ‌

joaopontes22 commented 1 month ago

Problemas de segurança resolvidos