Problem/Motivation
Acunetix 360 identified an internal server error.
The server responded with an HTTP status 500, indicating there is a server-side error. Reasons may vary, and the behavior should be analyzed carefully.
Impact
The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting.
Steps to reproduce
If relevant, our site env = Apache 2.4 / PHP 7.4 / PostgreSQL
1. Enable the 'captcha' module
2. Invoke /image_captcha?sid=%22%26%20ping%20-n%2025%20127.0.0.1%20%26&ts=1661900629
Results in error message (using postgreSQL):
PDOException: SQLSTATE[22P02]: Invalid text representation: 7 ERROR: invalid input syntax for integer: ""& ping -n 25 127.0.0.1 &" LINE 1: ...ELECT solution FROM captcha_sessions WHERE csid = '"& ping -... ^: SELECT solution FROM {captcha_sessions} WHERE csid = :csid; Array ( [:csid] => "& ping -n 25 127.0.0.1 & ) in image_captcha_image() (line 27 of C:\Apache24\htdocs\sites\all\modules\captcha\image_captcha\image_captcha.user.inc)
Proposed resolution
In captcha/image_captcha/image_captcha.user.inc code, verify and/or sanitize the 'sid' GET parameter before making the database query.
For our site, we made this change to line 20:
if (!isset($_GET['sid']) || !is_numeric($_GET['sid'])) {
Such that, at minimum, the 'sid' parameter will be numeric before getting to the db query.
If someone has a better fix we can go with that, but for now we need the hole plugged for site scan results.
Comments