http://www.perlmonks.org?node_id=962823

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I'm new to Perl....& this web application built on perl-cgi(~10 yrs old app) Recently the Rational webAppscan that scanned the URL ,reported several(20) cgi modules for 'Information Exposure Through Query Strings in GET Request'...The remediation task suggested is 'Always use SSL and POST (body) parameters when sending sensitive information'...CWE-ID:598 I didnt see anything obvious...I was hoping someone could point out the code that is causing the vulnerability Below is the code (both cgi & the template)of one of the module ***********************airline_carrier.tmpl***************
</div> <script language="javascript" src="/gdr/js/sorttable.js"></script> <TMPL_INCLUDE NAME="./icon_top.tmpl"> <p class="page-header">Airline Carrier</p> <hr class="header-line"> <br> <form name=airline_carrier method=POST action="airline_carrier.cgi"> <table id="t1" onclick="stripe('t1')" class="data-table"> <tr class="data-table-header"> <th width=30%>Carrier Code</th> <th width=70%>Carrier Name</th> </tr> <TMPL_LOOP NAME=AIRLINE_LIST> <tr class="<tmpl_if name=__ODD__>shaded<tmpl_else>unshaded</tmpl_i +f>"> <td width=30%><TMPL_VAR NAME=CARRIER_CD></td> <td width=70%><TMPL_VAR NAME=CARRIER_NAM></td> </tr> </TMPL_LOOP> </table> </form> <TMPL_INCLUDE NAME="./icon_bottom.tmpl">
***********************airline_carrier.cgi***************
use Provider::CGI; use strict; use coplib; use Apache::DBI; use DBI; use Provider::LogAgent; use Provider::Constants; my $cgi = Provider::CGI->new(); # Store the user information in the session object my $session = {}; getSession( $session ); ## Common Log my $logger = new Provider::LogAgent($session); #my $event = $Provider::Constants::ADMIN_INFO; my $event = 20001; my $entity = ""; my $entityType = ""; my $additional = {"action"=>$Provider::Constants::COMMON_LOG_ACCESS}; $logger->store_message($event, $entity, $entityType, %$additional); my $dbh = cpDBConnect( $session ); my $loop_data=[]; my $sql_stmt; print $cgi->header( -charset => q{utf-8} ); my $template; if(( $session->{entity_type_cd} eq 'A' ) or ($session->{entity_type_cd +} eq 'S' ) ) { $template = coplib::new_template('airline_carrier.tmpl', 'Airline C +arrier', $session); } else { $event = $Provider::Constants::INVALID_LOGIC_ERROR; $logger->store_message($event, $entity, $entityType); $template = new_template("no_access.tmpl", "No Access", undef ); print $template->output(); exit; } $sql_stmt = <<SQL_STMT_TEXT; SELECT CARRIER_CD , CARRIER_NAM FROM MCAIRLINE_CARRIER ORDER BY CARRIER_CD SQL_STMT_TEXT my $sth = $dbh->prepare($sql_stmt); $sth->execute( ); $loop_data = $sth->fetchall_arrayref({}); $sth->finish; #$dbh->disconnect; $template->param( AIRLINE_LIST => $loop_data); print $template->output; END { untie $session; undef $session; }

Replies are listed 'Best First'.
Re: Need help figure out this Security vulnerability on this cgi code
by bitingduck (Chaplain) on Apr 01, 2012 at 06:05 UTC

    Do you not see anything obvious because you don't think the information is sensitive?

    It's just warning you that the string sent by the browser POST can be read by anybody with access to the browser (or anyone in between it and the server, if they care to look) and that you should use SSL if there's anything sensitive. The scanner can't really tell if the data sent is sensitive. If you communicate with the user over SSL then the warning should go away. It may not be worth it, though it might make it at least a little harder to exploit the XSS vulnerabilities pointed out in your other post.

Re: Need help figure out this Security vulnerability on this cgi code
by Anonymous Monk on Apr 01, 2012 at 03:24 UTC
        Well..It's all fromm the same App...the Security vulnerability reported by the Appscan is different & on another cgi Script...This according to the CWE-ID :598 "Information Exposure Through Query Strings in GET Request-The web application uses the GET method to process requests that contain sensitive information, which can expose that information through the browser's history, Referers, web logs, and other sources. "
Re: Need help figure out this Security vulnerability on this cgi code
by pemungkah (Priest) on Apr 02, 2012 at 22:47 UTC
    Any information which the user gives to you should be considered "sensitive". The warning is just trying to say, "If you send anything the way you're doing it now, it's very easy for someone to intercept and read it, because it's not encrypted."

    The reason for both POST and SSL is as follows:

    1. If you use GET or PUT instead of POST, the data is in the URL, which means that it can be seen traversing the net. (Sniffers, man-in-the-middle attacks, compromised router logging the traffic passing through...). Using POST takes the data out of the URL.
    2. If you use SSL, then the content of the POST is flowing across an encrypted channel and is therefore much harder to intercept (someone with a faked cert could, for instance, but the trivial attacks listed above won't work.)
    So you need both to guarantee (modulo very outside cases) that the data is secure.

    As to whether the data is "sensitive" or not, it depends on the application, but a good rule of thumb is that any personally-identifiable data is sensitive. So ages, names, addresses, email addresses, IM handles, or anything that when taken together would let you identify someone.