Jump to content

PW Security - Remote OS Command Injection


Mustafa-Online
 Share

Recommended Posts

These look like false positives, especially given the last one (a CSS file served by Apache). What's happening here is that your server is taking a long time to respond to the requests, and the testing tool is making the assumption that because it responded slowly, it must have executed the command it sent (sleep and timeout). Most likely your server took a long time to respond to the request because that testing tool is hitting the server hard, and it's either struggling to keep up, or it's throttling the tool, limiting how many requests it'll respond to at once. It's also possible you've got another server-side security tool that is detecting something trying to mess with it, and interrupting the request.

With a tool like ZAP, false positives can happen, so you should use it to find where to look, but use the information it gives you to confirm on your own whether it's an issue or not. And if you ever think you've found some security an issue in any software, contact the author directly, don't post it in a public forum.

The only other thing I'd suggest is to look at your site template that serves the first URL it mentions, and check if you are using a GET variable named "query", and if so what you are doing with it. However, I think this is unlikely given that it's reporting the same error on a CSS file, which is served directly by Apache, not ProcessWire. 

  • Like 5
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...