Acunetix Internal Server Error 500

Problem/Motivation

Acunetix 360 identified an internal server error.

The server responded with an HTTP status 500, indicating there is a server-side error. Reasons may vary, and the behavior should be analyzed carefully.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting.

Steps to reproduce

If relevant, our site env = Apache 2.4 / PHP 7.4 / PostgreSQL

1. Enable the 'captcha' module
2. Invoke /image_captcha?sid=%22%26%20ping%20-n%2025%20127.0.0.1%20%26&ts=1661900629

Results in error message (using postgreSQL):

PDOException: SQLSTATE[22P02]: Invalid text representation: 7 ERROR: invalid input syntax for integer: ""& ping -n 25 127.0.0.1 &" LINE 1: ...ELECT solution FROM captcha_sessions WHERE csid = '"& ping -... ^: SELECT solution FROM {captcha_sessions} WHERE csid = :csid; Array ( [:csid] => "& ping -n 25 127.0.0.1 & ) in image_captcha_image() (line 27 of C:\Apache24\htdocs\sites\all\modules\captcha\image_captcha\image_captcha.user.inc)

Proposed resolution

In captcha/image_captcha/image_captcha.user.inc code, verify and/or sanitize the 'sid' GET parameter before making the database query.

For our site, we made this change to line 20:

if (!isset($_GET['sid']) || !is_numeric($_GET['sid'])) {

Such that, at minimum, the 'sid' parameter will be numeric before getting to the db query.

If someone has a better fix we can go with that, but for now we need the hole plugged for site scan results.