search

nilsonLazarin / WeGIA

WeGIA: Web gerenciador para instituições assistenciais
Other
5 stars 6 forks source link

Análise de vulnerabilidade do arquivo html/cadastro_saida.php #136

Closed joaopontes22 closed 9 hours ago

joaopontes22 commented 4 months ago

Vulnerability Analysis Vulnerabilidades encontradas no código:

  1. Injeção de SQL: Na linha 14, a consulta SQL está sendo construída concatenando a variável $id_pessoa diretamente na string. Isso pode levar a um ataque de injeção de SQL se o valor dessa variável não for validado antes de ser utilizado na consulta. Recomenda-se usar prepared statements para proteger contra esse tipo de vulnerabilidade.

  2. Comparação de mysqli_result com null: Nas linhas 18, 28 e 37, o código está utilizando a função mysqli_query para fazer consultas e em seguida verifica se o retorno é diferente de null com !is_null($resultado). No entanto, mysqli_query retorna um objeto mysqli_result mesmo se a consulta não retornar resultados, então essa verificação não está correta. Ela deve ser feita verificando se o resultado retornado da consulta é válida ou não.

  3. Variável $permissao inconsistente: A variável $permissao é inicializada com o valor 1 nas linhas 39, 47 e 55, mas depois é reatribuída com outros valores dependendo das consultas e condições. Isso pode tornar o código confuso e propenso a erros. É aconselhável lidar com a lógica de permissão de forma mais clara e consistente.

  4. Escapar a saída de dados: Na linha 48, a mensagem de erro $msg é usada diretamente na URL de redirecionamento com header("Location: ./home.php?msg_c=$msg"). Para evitar possíveis ataques de Cross-Site Scripting (XSS), é importante escapar os dados de forma apropriada antes de exibi-los para o usuário.

  5. Validação de entrada para o campo de origem: A verificação da origem na linha 134 está sendo feita diretamente com o valor fornecido pelo usuário. Recomenda-se implementar uma validação mais robusta para garantir que somente valores válidos sejam aceitos nesse campo.

Nota: Lembre-se de sempre validar e filtrar todas as entradas de usuários antes de utilizá-las em consultas SQL ou em saídas para evitar vulnerabilidades de segurança.

joaopontes22 commented 2 months ago

[Thu Jul 18 15:04:33.842638 2024] [security2:error] [pid 617:tid 617] [client 177.107.231.54:61960] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\/])\\.\\.(?:[\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/cadastro_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvAZmTqzvT7a3VcqSmJAAAAAc"], referer: https://comfirewall.wegia.org:8000/WeGIA/html/home.php [Thu Jul 18 15:04:33.842771 2024] [security2:error] [pid 617:tid 617] [client 177.107.231.54:61960] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\/])\\.\\.(?:[\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/cadastro_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvAZmTqzvT7a3VcqSmJAAAAAc"], referer: https://comfirewall.wegia.org:8000/WeGIA/html/home.php [Thu Jul 18 15:04:33.846166 2024] [security2:error] [pid 617:tid 617] [client 177.107.231.54:61960] [client 177.107.231.54] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvAZmTqzvT7a3VcqSmJAAAAAc"], referer: https://comfirewall.wegia.org:8000/WeGIA/html/home.php [Thu Jul 18 15:04:33.846538 2024] [security2:error] [pid 617:tid 617] [client 177.107.231.54:61960] [client 177.107.231.54] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=10,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvAZmTqzvT7a3VcqSmJAAAAAc"], referer: https://comfirewall.wegia.org:8000/WeGIA/html/home.php

joaopontes22 commented 2 months ago

--96331a18-A-- [18/Jul/2024:15:05:01.672279 +0000] ZpkvHWAHHnn2rkFsyZoxTwAAAAM 177.107.231.54 61981 10.0.0.80 443 --96331a18-B-- GET /WeGIA/controle/control.php?metodo=listarTodos&nomeClasse=DestinoControle&nextPage=../html/cadastro_saida.php HTTP/1.1 Host: comfirewall.wegia.org:8000 Connection: keep-alive Cache-Control: max-age=0 sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://comfirewall.wegia.org:8000/WeGIA/html/home.php Accept-Encoding: gzip, deflate, br, zstd Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: _ga=GA1.1.226787592.1712170424; PHPSESSID=l3qtr41r306gqi2kksvkbcj7bj; _ga_F8DXBXLV8J=GS1.1.1721314557.29.1.1721315064.11.0.0 ‌ --96331a18-F-- HTTP/1.1 403 Forbidden Content-Length: 288 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 ‌ --96331a18-E-- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

403 Forbidden

Forbidden

You don't have permission to access this resource.

Apache/2.4.61 (Debian) Server at comfirewall.wegia.org Port 8000

‌ --96331a18-H-- Message: Warning. Pattern match "(?:^|[\/])\.\.(?:[\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/cadastro_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] Message: Warning. Pattern match "(?:^|[\/])\.\.(?:[\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/cadastro_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=10,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/cadastro_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvHWAHHnn2rkFsyZoxTwAAAAM"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:nextPage. [file "/usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "72"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:nextPage: ../html/cadastro_saida.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvHWAHHnn2rkFsyZoxTwAAAAM"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvHWAHHnn2rkFsyZoxTwAAAAM"] Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 177.107.231.54] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=10,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "comfirewall.wegia.org"] [uri "/WeGIA/controle/control.php"] [unique_id "ZpkvHWAHHnn2rkFsyZoxTwAAAAM"] Action: Intercepted (phase 2) Apache-Handler: application/x-httpd-php Stopwatch: 1721315101662970 10164 (- - -) Stopwatch2: 1721315101662970 10164; combined=8203, p1=847, p2=6792, p3=0, p4=0, p5=564, sr=174, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); OWASP_CRS/3.3.4. Server: Apache/2.4.61 (Debian) Engine-Mode: "ENABLED" ‌ --96331a18-Z-- ‌

joaopontes22 commented 9 hours ago

Problemas de segurança resolvidos